CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-11492

CVSS 9.6v3.1pub. 2025-10-16upd. 2025-10-29

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.

CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Connectwise Automate

    APP
    Connectwise
    < 2025.9
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2021-35066CRITICAL9.8ten sam produkt

An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132.

CVE-2020-15027CRITICAL9.8ten sam produkt

ConnectWise Automate through 2020.x has insufficient validation on certain authentication paths, allowing auth...

CVE-2026-6066HIGH7.1ten sam produkt

ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectW...

CVE-2025-11493HIGH8.8ten sam produkt

The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, suc...

CVE-2023-47257HIGH8.1ten sam produkt

ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution v...