Article illustration 1

Managed service providers (MSPs) and enterprise IT teams relying on ConnectWise Automate are racing to patch two critical vulnerabilities that could enable adversary-in-the-middle (AiTM) attacks and malicious update injections. The remote monitoring and management (RMM) platform—used to control thousands of client devices—contained flaws that expose sensitive communications and update mechanisms.

The Twin Threats: Cleartext and Compromised Integrity

The more severe flaw, CVE-2025-11492 (CVSS 9.6), allowed Automate agents to communicate over unencrypted HTTP instead of HTTPS. This cleartext transmission creates a golden opportunity for network-based attackers to intercept credentials, commands, and update payloads. As ConnectWise confirmed:

"In on-prem environments, agents could be configured to use HTTP or rely on encryption, that could allow a network-based adversary to view or modify traffic or substitute malicious updates."

The secondary vulnerability, CVE-2025-11493 (CVSS 8.8), failed to enforce cryptographic verification for update packages, dependencies, and integrations. Without digital signatures or checksums, attackers could weaponize the first flaw to push trojanized updates while masquerading as legitimate ConnectWise servers.

Chained Attack Scenario: A Hacker's Playground

When combined, these vulnerabilities create a potent attack chain:
1. Interception: An attacker positions themselves between Automate agents and the management server using network access.
2. Modification: They alter update packages or inject malware into unencrypted communications.
3. Execution: Compromised updates deploy across all connected endpoints with high privileges.

This is particularly dangerous for MSPs managing client infrastructure—a single breach could cascade across hundreds of organizations.

Patch Urgency for On-Premise Deployments

While ConnectWise has updated its cloud instances to Automate 2025.9, on-premise administrators face immediate action. The vendor classifies the update as "moderate" priority but warns of "higher risk of being targeted by exploits in the wild." Given ConnectWise's history of being targeted by nation-state actors—including a 2025 breach that compromised ScreenConnect customers—delaying patches is risky. The company previously had to rotate all digital certificates to prevent malicious code signing after that incident.

Why RMM Security Can't Be an Afterthought

This disclosure underscores the massive attack surface of RMM tools, which often hold "keys to the kingdom" for managed environments. As threat actors increasingly target MSP supply chains, robust encryption and cryptographic verification aren't optional—they're existential requirements. For IT teams using Automate, upgrading within days isn't just recommended; it's a firewall against enterprise-wide compromise.

Source: BleepingComputer