There's a version of this story that ends very differently.
In that version, a bad actor finds the vulnerability before we do. They don't call the software company or wait for a patch. They quietly walk through the door we found and tens of thousands of businesses never know it happened.
That's not the story we're telling. But it almost was.
What We Found
In 2023, the American PCS team discovered a critical security vulnerability in Passportal, a password management tool built by N-able and used by tens of thousands of Managed Service Providers (MSPs) and their clients worldwide.
The vulnerability: the Passportal browser extension was logging sensitive data (including credentials) in a way that could be accessed and exploited.
The N-able Passportal Chrome extension (prior to version 3.29.2) was found to be inserting sensitive information into a log file. That may sound technical and contained. It wasn’t.
Why This Was a Big Deal
To understand the scope, you have to understand what MSPs do.
Managed Service Providers like American PCS serve as the IT department for dozens of client businesses. That means we hold the administrative credentials for our clients' systems. Every login. Every server. Every network. It's a position of deep trust, and it requires airtight security.
Passportal is the tool many MSPs use to manage and protect those credentials.
If a bad actor had discovered this vulnerability before we did, they wouldn't have just accessed one company's data. They could have used a single point of entry to move laterally across every client an MSP serves. A scenario the cybersecurity world calls a supply chain attack, and the damage could have been enormous.
What made this especially serious: some Passportal users were departments within the United States government.
What We Did
When we identified the vulnerability, we didn't post about it.
Our team simply contacted N-able directly and worked with their security team to document and understand the full scope of the issue. After thorough collaboration, N-able released a patch- version 3.29.2 of the Passportal Chrome extension.
What happened next tells you something about the severity of what we found.
Months passed before N-able made any public disclosure. When we followed up with David MacKinnon, Chief Security Officer at N-able, he explained why: government clients using Passportal needed to be fully patched before the vulnerability details could be made public. A premature disclosure, with U.S. government systems still exposed, could have created more risk than it resolved.
That's not a standard software patch timeline. That's a national security consideration.
How It Was Classified
The vulnerability was officially published in the National Vulnerability Database on February 8, 2024, and is catalogued as CVE-2023-47131. It was rated High Risk — the second-highest severity classification in the CVSS scoring system used by NIST and security professionals worldwide.
You can view the official NIST (National Institute of Standards and Technology) record here: CVE-2023-47131 on NVD
N-able's official security advisory, which includes acknowledgment of the American PCS team's discovery, is available here: N-able Security Advisory: CVE-2023-47131
What This Means for You
Cybersecurity isn't just about having the right tools. It's about having a team that actually uses them AND knows what to look for when something isn't right.
The American PCS team found this vulnerability not because we were running a formal audit, but because we were paying attention. That's what proactive IT looks like in practice.
If your current IT provider isn't proactively monitoring, testing, and questioning the tools in your stack ,including the security tools themselves, it's worth asking why.
