Full Report
ConnectWise released a security update to address vulnerabilities, one of them with critical severity, in Automate product that could expose sensitive communications to interception and modification. [...]
Analysis Summary
# Vulnerability: Critical/High Flaws in ConnectWise Automate Allowing MitM Update Attacks
## CVE Details
- CVE ID: CVE-2025-11492
- CVSS Score: 9.6 (Critical)
- CWE: Cleartext Transmission of Sensitive Information (Inferred from description)
- CVE ID: CVE-2025-11493
- CVSS Score: 8.8 (High)
- CWE: Lack of integrity verification (Inferred from description)
## Affected Systems
- Products: ConnectWise Automate
- Versions: All versions prior to 2025.9 (for on-premise deployment remediation timeline)
- Configurations: On-premise environments where agents are configured to communicate over HTTP or rely on insecure encryption settings.
## Vulnerability Description
Two vulnerabilities in ConnectWise Automate can be chained to allow an attacker to intercept, modify, or inject malicious updates or commands.
1. **CVE-2025-11492 (Critical):** Allows cleartext transmission of sensitive information. In on-prem deployments, agents can be configured to communicate over insecure HTTP, enabling a network-based adversary to intercept or modify traffic (including commands, credentials, and update payloads) via an Adversary-in-the-Middle (AitM) attack.
2. **CVE-2025-11493 (High):** Involves a lack of integrity verification (no digital signature or checksum) for update packages and their dependencies.
When combined, an attacker can credibly push malicious files (e.g., malware) disguised as legitimate updates by impersonating a valid ConnectWise server.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild, but the vendor warns that the vulnerabilities "have higher risk of being targeted by exploits in the wild."
- **Complexity:** Medium (Requires network positioning/control for MitM, especially factoring in the need to either exploit insecure configurations or chain the integrity bypass).
- **Attack Vector:** Network (for MitM exploitation of CVE-2025-11492).
## Impact
- **Confidentiality:** High (Sensitive communications, credentials can be intercepted via MitM).
- **Integrity:** High (Malicious updates/files can be substituted and executed).
- **Availability:** Potential Denial of Service or complete system compromise via substituted updates.
## Remediation
### Patches
- **ConnectWise Automate 2025.9:** This version addresses both vulnerabilities through required updates for cloud instances and highly recommended installation for on-prem deployments.
### Workarounds
- The primary mitigation recommended for on-premise administrators is to install the new release (2025.9) *as soon as possible*. (No specific temporary network/configuration workarounds were detailed, implying the patch is necessary due to the nature of the flaws).
## Detection
- **Indicators of Compromise:** Insecure communication logs showing agent traffic over HTTP instead of HTTPS. Unauthorized file execution or unexpected update processes initiated from agent machines.
- **Detection Methods and Tools:** Monitoring network traffic near Automate servers and agents for unencrypted transfers. Reviewing integrity checks performed on incoming update packages.
## References
- Vendor Security Bulletin: hxxps://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix
- BleepingComputer Report: hxxps://www.bleepingcomputer.com/news/security/connectwise-fixes-automate-bug-allowing-aitm-update-attacks/