Microsoft has confirmed Edge stores every saved password in process memory as cleartext. They have classified the behaviour as "by design". The control is now yours to direct.
Direct your CIO to disable Edge's built-in password manager across your fleet this week. Then ask how many of your staff have credentials saved there today.
The reason is direct. On 29 April 2026, a penetration tester at Palo Alto Networks Norway's BigBiteOfTech conference demonstrated that Microsoft Edge decrypts every saved password into the browser's process memory the moment it launches, then keeps them in cleartext for the entire session. Sites the user no longer visits. Credentials they have not used in months. All of it sits in plain text in memory until the browser is closed.
Microsoft's response, when notified, was that the behaviour is "by design" and does not meet the bar for servicing. That is the company's official position.
For Australian and New Zealand boards, that resets the question. The control is not coming from Microsoft. The control is your governance.
Researcher Tom Jøran Sønstebyseter Rønning tested every major Chromium-based browser. He found Edge alone exhibits this behaviour. Chrome and Brave decrypt credentials only when needed, and Chrome's Application-Bound Encryption ties decryption keys to an authenticated process so other software on the same machine cannot reuse them. Edge does neither.
The exposure is process memory, not the on-disk vault. The on-disk vault remains encrypted. The username, password and origin URL for every saved site sit in the parent msedge.exe heap, readable to anyone with sufficient privilege on the host. Rønning has published a proof of concept tool on GitHub that demonstrates the extraction in seconds.
The authentication prompt that Edge displays before revealing a saved password is, in Rønning's words, theatrical. The credentials are already in cleartext memory before that prompt fires.
Microsoft's stated position is that an attacker with the privileges required to read Edge's process memory could compromise the host through other means, so the scenario sits outside the browser's threat model. The company's password manager FAQ goes a step further and frames the design as a balance of "performance, usability and security".
A separate researcher reported the same behaviour in 2025 and received the same response. There is no patch on the way. Boards should plan accordingly.
Edge is the default browser on the managed Windows fleets that run most ANZ enterprises. The risk concentrates in three environments common across the regulated sectors we serve.
Citrix, VDI and Remote Desktop Services hosts. An attacker or insider with administrative privileges on a multi-session host can dump the parent Edge process memory of every signed-in and disconnected user on that box. Rønning describes this scenario plainly as a credential harvest. This is the reference architecture for contractor and remote worker access in most ANZ banks, insurers, aged care providers and government agencies.
Shared workstations. Common in clinical, aged care and shift-based environments where a single device is used by multiple staff across rosters.
Compromised endpoints. Any incident that yields local administrator escalation on a Windows host hands the attacker every credential the user has saved in Edge, including for systems unrelated to the initial compromise.
Managed endpoints. Compromised admin machines could remotely exploit this vulnerability for all devices within the corporate fleet.
Each of these sits squarely inside the obligations boards already have:
Seven actions sit within board governance reach. They do not require deep technical specification. They do require a directive.
PasswordManagerEnabled = 0. This is the highest-leverage control and can be enforced inside one change window.msedge.exe at the SOC. The proof of concept code is public, and the indicators are knowable."The Edge finding is not novel cryptography. It is a design philosophy that puts performance ahead of secret hygiene, and Microsoft has been transparent that they are not changing it. That is fine, as long as boards understand they have just inherited the control."
"Every CISO I work with across Australia and New Zealand can name a Citrix farm, a VDI fleet or a shared clinical workstation environment where this risk is concrete today. The hard work is not the technical change. The setting is one Group Policy. The hard work is reaching into every application that allows browser autofill, getting those credentials into a managed vault, and onto passkeys where possible. That is a 60 to 90 day program for most mid-market organisations, and it should start now."
Greg Bunt is a co-founder and Director at Insicon Cyber.
Insicon Cyber works with organisations across Australia and New Zealand on exactly this kind of governance translation. Our Board Cyber Advisory and Managed Security Services practices are working with clients on:
If you would like a 30 minute briefing on what this means for your environment, contact us and we would be happy to book a convenient time.