CVE-2025-11492

Critical CVSS: 9.6

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.

Vendor

Connectwise

Product

Automate

CWE

CWE-319

Yayın Tarihi

2025-10-16 19:15:31

Güncelleme

2025-10-29 19:33:29

Source Identifier

7d616e1a-3288-43b1-a0dd-0a65d3e70a49

KEV Date Added

Kategoriler

CWE-319 Automate CRITICAL Connectwise 2025

Referanslar

https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix

Benzer Kayıtlar

High

CVE-2026-0695

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered wit…

Medium

CVE-2026-0696

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some…

Medium

CVE-2025-14823

In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure…

Critical

CVE-2025-14265

In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem…

High

CVE-2025-11493

The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updat…

Medium

CVE-2025-7204

In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sen…