Search criteria
5 vulnerabilities
CVE-2025-11493 (GCVE-0-2025-11493)
Vulnerability from cvelistv5 – Published: 2025-10-16 19:00 – Updated: 2025-10-17 03:55
VLAI?
Summary
The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492.
Severity ?
8.8 (High)
CWE
- CWE-494 - Download of Code Without Integrity Check
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | Automate |
Affected:
All versions prior to 2025.9
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T03:55:32.171Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2025.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492."
}
],
"value": "The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492."
}
],
"impacts": [
{
"capecId": "CAPEC-186",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-186 Malicious Software Update"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494 Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:00:39.119Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eCloud:\u0026nbsp;\u003c/b\u003eCloud instances have already been updated to the latest\nAutomate release. \u0026nbsp;\u0026nbsp;\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003cb\u003eOn-premise\u003c/b\u003e: Apply the 2025.9\nrelease.\u003c/p\u003e\n\n\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Cloud:\u00a0Cloud instances have already been updated to the latest\nAutomate release. \u00a0\u00a0\n\n\n\n\n\n\n\nOn-premise: Apply the 2025.9\nrelease."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Self-Update Verification Mechanism Process in ConnectWise Automate",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2025-11493",
"datePublished": "2025-10-16T19:00:39.119Z",
"dateReserved": "2025-10-08T11:26:01.814Z",
"dateUpdated": "2025-10-17T03:55:32.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11492 (GCVE-0-2025-11492)
Vulnerability from cvelistv5 – Published: 2025-10-16 18:59 – Updated: 2025-10-17 03:55
VLAI?
Summary
In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.
Severity ?
9.6 (Critical)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | Automate |
Affected:
All versions prior to 2025.9
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T03:55:31.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Agent"
],
"product": "Automate",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2025.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e"
}
],
"value": "In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications."
}
],
"impacts": [
{
"capecId": "CAPEC-94",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-94 Adversary in the Middle (AiTM)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:59:35.285Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eCloud:\u0026nbsp;\u003c/b\u003eCloud instances have already been updated to the latest\nAutomate release. \u0026nbsp;\u0026nbsp;\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003cb\u003eOn-premise:\u0026nbsp;\u003c/b\u003eApply the 2025.9\nrelease.\u003c/p\u003e\n\n\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Cloud:\u00a0Cloud instances have already been updated to the latest\nAutomate release. \u00a0\u00a0\n\n\n\n\n\n\n\nOn-premise:\u00a0Apply the 2025.9\nrelease."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTTP Configuration and Encryption in Transit",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2025-11492",
"datePublished": "2025-10-16T18:59:35.285Z",
"dateReserved": "2025-10-08T11:25:59.180Z",
"dateUpdated": "2025-10-17T03:55:31.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7204 (GCVE-0-2025-7204)
Vulnerability from cvelistv5 – Published: 2025-07-09 14:50 – Updated: 2025-07-10 11:35
VLAI?
Summary
In ConnectWise PSA versions older than 2025.9, a
vulnerability exists where authenticated users could gain access to sensitive
user information. Specific API requests were found to return an overly verbose
user object, which included encrypted password hashes for other users.
Authenticated users could then retrieve these hashes.
An
attacker or privileged user could then use these exposed hashes to conduct
offline brute-force or dictionary attacks. Such attacks could lead to
credential compromise, allowing unauthorized access to accounts, and
potentially privilege escalation within the system.
Severity ?
6.5 (Medium)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | PSA |
Affected:
All versions prior to 2025.9
|
Credits
Michael Newton (The Missing Link)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T15:57:27.486627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T15:57:34.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PSA",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2025.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Newton (The Missing Link)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn ConnectWise PSA versions older than 2025.9, a\nvulnerability exists where authenticated users could gain access to sensitive\nuser information. Specific API requests were found to return an overly verbose\nuser object, which included encrypted password hashes for other users.\nAuthenticated users could then retrieve these hashes.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAn\nattacker or privileged user could then use these exposed hashes to conduct\noffline brute-force or dictionary attacks. Such attacks could lead to\ncredential compromise, allowing unauthorized access to accounts, and\npotentially privilege escalation within the system.\u003c/p\u003e\n\n\n\n\n\n\u003cb\u003e\u003c/b\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "In ConnectWise PSA versions older than 2025.9, a\nvulnerability exists where authenticated users could gain access to sensitive\nuser information. Specific API requests were found to return an overly verbose\nuser object, which included encrypted password hashes for other users.\nAuthenticated users could then retrieve these hashes.\u00a0\n\n\n\nAn\nattacker or privileged user could then use these exposed hashes to conduct\noffline brute-force or dictionary attacks. Such attacks could lead to\ncredential compromise, allowing unauthorized access to accounts, and\npotentially privilege escalation within the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T11:35:40.506Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-psa-2025.9-security-fix"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2025-7204"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eCloud:\u003c/b\u003e\u003cbr\u003eCloud instances are automatically being updated to the latest ConnectWise PSA release.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cb\u003eOn-Premise:\u003c/b\u003e\u003cbr\u003eApply the 2025.9 release patches and ensure all desktop clients are up to date.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Cloud:\nCloud instances are automatically being updated to the latest ConnectWise PSA release.\u00a0\n\nOn-Premise:\nApply the 2025.9 release patches and ensure all desktop clients are up to date."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Exposure of password hashes via API responses in ConnectWise PSA",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2025-7204",
"datePublished": "2025-07-09T14:50:36.477Z",
"dateReserved": "2025-07-07T11:30:08.002Z",
"dateUpdated": "2025-07-10T11:35:40.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4876 (GCVE-0-2025-4876)
Vulnerability from cvelistv5 – Published: 2025-05-19 16:04 – Updated: 2025-09-03 16:33
VLAI?
Summary
ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning.
Severity ?
6 (Medium)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | Risk Assessment |
Affected:
All versions prior to deprecation (July 2023)
|
Credits
Joey Melo (jmelo@packetlabs.net)
Ian Lin (ilin@packetlabs.net)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T16:48:28.836537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T16:49:27.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"connectwise-password-encryption-utlity.exe"
],
"product": "Risk Assessment",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to deprecation (July 2023)"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joey Melo (jmelo@packetlabs.net)"
},
{
"lang": "en",
"type": "finder",
"value": "Ian Lin (ilin@packetlabs.net)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eused for authenticated network scanning.\u003c/span\u003e\n\n\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files\u00a0used for authenticated network scanning."
}
],
"impacts": [
{
"capecId": "CAPEC-191",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-191 Read Sensitive Constants Within an Executable"
}
]
},
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T16:33:11.971Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"url": "https://github.com/packetlabs/vulnerability-advisory/blob/main/Disclosures/PL-2025-11315/README.md"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ConnectWise deprecated the tool in July 2023 and provided a new utility that does not contain hardcoded keys. The previous tool relied on a third-party utility that required credentials to be stored locally to perform authenticated network scans. Partners who still have the deprecated tool on their systems should remove it."
}
],
"value": "ConnectWise deprecated the tool in July 2023 and provided a new utility that does not contain hardcoded keys. The previous tool relied on a third-party utility that required credentials to be stored locally to perform authenticated network scans. Partners who still have the deprecated tool on their systems should remove it."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hardcoded Key Revealed in ConnectWise Password Encryption Utility",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2025-4876",
"datePublished": "2025-05-19T16:04:34.031Z",
"dateReserved": "2025-05-16T20:18:46.987Z",
"dateUpdated": "2025-09-03T16:33:11.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3935 (GCVE-0-2025-3935)
Vulnerability from cvelistv5 – Published: 2025-04-25 18:27 – Updated: 2025-10-21 22:55
VLAI?
Summary
ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.
It is important to note that to obtain these machine keys, privileged system level access must be obtained.
If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.
The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.
Severity ?
8.1 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | ScreenConnect |
Affected:
<25.2.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3935",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T03:55:32.340641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-06-02",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3935"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:17.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3935"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-02T00:00:00+00:00",
"value": "CVE-2025-3935 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Microsoft ASP.NET"
],
"product": "ScreenConnect",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "\u003c25.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.\u0026nbsp;\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIt is important to note that to obtain these machine keys, privileged system level access must be obtained. \u003c/span\u003e\n\n\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eI\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ef these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003c/span\u003e\n\n\u003cbr\u003eThe risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.\u0026nbsp; This had no direct impact to ScreenConnect Client.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eScreenConnect 2025.4 patch disables ViewState and removes any dependency on it. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
}
],
"value": "ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.\u00a0\nIt is important to note that to obtain these machine keys, privileged system level access must be obtained. \n\n\n\nIf these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.\u00a0\n\n\n\nThe risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.\u00a0 This had no direct impact to ScreenConnect Client.\u00a0ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T16:31:13.339Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"url": "https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4"
},
{
"url": "https://www.connectwise.com/company/trust/advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cb\u003eCloud:\u0026nbsp;\u003c/b\u003eNo action is required. \u003cbr\u003e\u003cbr\u003e\u003cb\u003eOn-premises:\u0026nbsp;\u003c/b\u003eUpgrade to the latest stable version.\u003cbr\u003e\n\n\n\n\n\n\n\n\n\n\u003cp\u003eDetails and guidance can be found here:\n\n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4\"\u003eScreenConnect 25.2.4 Security Patch\u003c/a\u003e\n\n\u003c/p\u003e\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Cloud:\u00a0No action is required. \n\nOn-premises:\u00a0Upgrade to the latest stable version.\n\n\n\n\n\n\n\n\n\n\nDetails and guidance can be found here:\n\n ScreenConnect 25.2.4 Security Patch https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "ScreenConnect Exposure to ASP.NET ViewState Code Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2025-3935",
"datePublished": "2025-04-25T18:27:44.244Z",
"dateReserved": "2025-04-25T14:32:25.365Z",
"dateUpdated": "2025-10-21T22:55:17.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}