Critical ConnectWise Automate Agent Man-in-the-Middle Vulnerability (CVE-2025-11492)
A critical vulnerability, tracked as CVE-2025-11492 with a CVSS score of 9.6, was identified in the ConnectWise Automate Agent, allowing for man-in-the-middle (MitM) attacks due to improper HTTP configuration and lack of enforced encryption in transit. The flaw enables agent communications to be configured over HTTP instead of HTTPS, exposing sensitive agent-server traffic to interception, modification, or replay by an attacker positioned on the network path. Security researchers highlighted that the encryption method used to obfuscate some communications over HTTP was insufficient, prompting ConnectWise to release the Automate 2025.9 patch, which enforces HTTPS for all agent communications. This vulnerability could allow attackers to gain unauthorized access to sensitive information or manipulate agent-server interactions, posing significant risks to managed service providers and their clients. The issue was disclosed publicly in mid-October 2025, with both security advisories and vulnerability databases emphasizing its critical nature. The vulnerability does not allow for remote exploitation without network access, but it significantly increases risk in environments where HTTP is used. ConnectWise responded by updating their software to mandate secure communication channels, thereby mitigating the risk of MitM attacks. The flaw affects all versions of the Automate Agent where HTTP was permitted, though specific affected versions were not detailed in the advisories. Organizations using ConnectWise Automate are urged to apply the latest patches immediately to ensure all agent communications are encrypted. The vulnerability underscores the importance of enforcing secure transport protocols in remote monitoring and management (RMM) tools. Security experts warn that failure to address this issue could result in data breaches, unauthorized command execution, or further compromise of managed endpoints. The incident has prompted broader discussions about the security of RMM platforms and the need for robust verification of agent-server communications. While no active exploitation has been reported at the time of disclosure, the high severity rating reflects the potential impact if left unremediated. ConnectWise has provided guidance for customers to verify their configurations and ensure compliance with the new security requirements. The vulnerability is distinct from, but related to, another flaw (CVE-2025-11493) affecting the self-update verification mechanism, which is mitigated by enforcing HTTPS as addressed in CVE-2025-11492.
Timeline
Oct 17, 2025
Technical details published for CVE-2025-11492
Public reporting described CVE-2025-11492 as a critical ConnectWise Automate flaw with a CVSS score of 9.6. The report said the issue could allow a man-in-the-middle attack against remote monitoring and management agents.
Oct 16, 2025
CVE-2025-11492 disclosed for ConnectWise Automate
A high-severity vulnerability, CVE-2025-11492, affecting ConnectWise Automate was publicly disclosed. The flaw involves HTTP configuration and encryption in transit and was later described as enabling a man-in-the-middle attack against RMM agents.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
ConnectWise Automate Vulnerabilities Allowing Fake Updates and Unencrypted Communications
ConnectWise Automate, a widely used IT management platform, was found to contain two critical vulnerabilities, CVE-2025-11492 and CVE-2025-11493, which were addressed in the security update for version 2025.9. The first vulnerability, CVE-2025-11492, is rated with a CVSS score of 9.6 and arises from agents transmitting data without encryption when configured to use HTTP instead of HTTPS. This flaw allows attackers with network access to intercept or modify unencrypted communications, potentially exposing sensitive credentials or commands. The second vulnerability, CVE-2025-11493, with a CVSS score of 8.8, is due to missing integrity verification during the update process. This could enable attackers to inject malicious or tampered update files that appear legitimate, leading to unauthorized code execution on managed systems. Both vulnerabilities primarily affect on-premises deployments of ConnectWise Automate running versions prior to 2025.9. ConnectWise published a security advisory on October 16, 2025, urging customers to update to version 2025.9 to mitigate these risks. The Canadian Centre for Cyber Security also issued an alert, recommending that users and administrators review the advisories and apply the necessary updates immediately. The flaws highlight the risks associated with improper use of unsecured communication protocols and the lack of integrity checks in software update mechanisms. Organizations hosting on-premises Automate servers are particularly at risk if they have not yet applied the latest security fixes. The vulnerabilities could be exploited by attackers already present within the network, emphasizing the importance of internal network security and monitoring. The exposure of credentials or the ability to execute unauthorized code could lead to further compromise of managed endpoints. Security experts recommend that organizations not only update their ConnectWise Automate installations but also review their network configurations to ensure encrypted communications are enforced. The advisories stress the urgency of patching, as threat actors may attempt to weaponize these vulnerabilities quickly. The incident underscores the broader need for robust security practices in IT management platforms, which are often high-value targets for attackers. ConnectWise has provided detailed guidance and links to the latest advisories to assist customers in remediation. The vulnerabilities serve as a reminder of the importance of secure software development and regular security assessments for critical infrastructure tools. Organizations are advised to monitor for signs of exploitation and to implement additional controls where possible to mitigate the risk of similar vulnerabilities in the future.
1 months ago
Critical ScreenConnect Vulnerability Allows Configuration Data Exposure and Untrusted Extension Installation
ConnectWise released a security update for ScreenConnect to address a critical vulnerability, tracked as CVE-2025-14265, which affects the server component of the remote access platform. The flaw, caused by improper code integrity validation during extension installations (CWE-494), could allow attackers with authorized or administrative access to expose sensitive configuration data and install untrusted extensions. The vulnerability carries a CVSS 3.1 base score of 9.1, highlighting its severity, though ConnectWise reports no evidence of active exploitation at this time. The issue impacts all ScreenConnect versions prior to 25.8, and the 25.8 patch enforces stricter server-side validation and integrity checks for extension installations. ConnectWise has automatically applied updates to cloud-hosted ScreenConnect instances, while on-premises users must manually upgrade to version 25.8. Partners using Automate integration are advised to update their Automate ScreenConnect Extension before upgrading ScreenConnect itself. Security advisories from both ConnectWise and the Canadian Centre for Cyber Security urge organizations to prioritize patching to prevent potential unauthorized access and maintain secure remote management environments. The vulnerability is rated as Priority 2 – Moderate, with a recommended update window of 30 days, but immediate action is encouraged due to the risk of sensitive data exposure.
1 months ago
Critical ScreenConnect Flaw Exposes Machine Keys and Enables Session Hijacking
**ConnectWise ScreenConnect** disclosed a critical vulnerability, **CVE-2026-3564** (**CVSS 9.0**), affecting versions prior to **26.1**. The flaw stems from ScreenConnect storing unique per-instance machine keys and related cryptographic material in plaintext server configuration files, creating a path for attackers under certain conditions to extract those keys and abuse them for unauthorized access. The issue is classified as **CWE-347: Improper Verification of Cryptographic Signature**, and successful exploitation can undermine confidentiality, integrity, and availability in environments that rely on ScreenConnect for remote access. With the exposed machine keys, an attacker could forge or manipulate session authentication tokens, hijack legitimate sessions, and elevate access without user interaction. ConnectWise rated the issue as high priority, and the **Centre for Cybersecurity Belgium** urged organizations to patch immediately, monitor for suspicious activity, and treat updates as protection against future exploitation rather than proof that no prior compromise occurred. The vendor states the issue is fixed in **version 26.1**, making rapid remediation and post-patch review important for on-premises deployments.
1 months ago