CVE-2025-14265

Critical CVSS: 9.1

In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.

Vendor

Connectwise

Product

Screenconnect

CWE

CWE-494

Yayın Tarihi

2025-12-11 15:15:46

Güncelleme

2026-01-16 15:35:15

Source Identifier

7d616e1a-3288-43b1-a0dd-0a65d3e70a49

KEV Date Added

Kategoriler

CWE-494 Screenconnect CRITICAL Connectwise 2025

Referanslar

https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch

Benzer Kayıtlar

High

CVE-2026-0695

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered wit…

Medium

CVE-2026-0696

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some…

Medium

CVE-2025-14823

In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure…

High

CVE-2025-11493

The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updat…

Critical

CVE-2025-11492

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on…

Medium

CVE-2025-7204

In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sen…