Executive Summary

ConnectWise has issued urgent security updates for its Automate remote monitoring and management (RMM) platform, remediating two critical vulnerabilities—CVE-2025-11492 and CVE-2025-11493—that enable adversary-in-the-middle (AiTM) update attacks. These flaws allow attackers to intercept, manipulate, and inject malicious updates into agent communications, potentially resulting in full compromise of managed endpoints. The vulnerabilities are especially dangerous due to their low exploitation complexity and the privileged access Automate agents possess. All organizations running on-premise instances of ConnectWise Automate must update immediately to mitigate the risk of compromise. This advisory provides a comprehensive technical breakdown, exploitation context, and actionable mitigation guidance.

Technical Information

The vulnerabilities in ConnectWise Automate—CVE-2025-11492 and CVE-2025-11493—represent a potent attack vector for adversaries seeking to compromise managed IT environments. The first vulnerability, CVE-2025-11492, is classified as a cleartext transmission of sensitive information (CWE-319), with a CVSS v3.1 score of 9.6 (Critical). It arises when Automate agents are configured to communicate over HTTP rather than HTTPS, exposing all agent-server traffic to interception and manipulation by any attacker with access to the same network segment or VPN. This includes sensitive data such as credentials, commands, and update payloads. The 2025.9 patch enforces HTTPS for all agent communications, closing this critical gap.

The second vulnerability, CVE-2025-11493, is a lack of update package integrity verification (CWE-494), with a CVSS v3.1 score of 8.8 (High). Prior to the patch, update packages and their dependencies lacked cryptographic integrity checks, such as digital signatures or checksums. When exploited in conjunction with CVE-2025-11492, an attacker in a man-in-the-middle position could impersonate the ConnectWise server and deliver malicious update files to endpoints, resulting in remote code execution with the privileges of the Automate agent.

The technical attack chain is as follows: an attacker first establishes a man-in-the-middle position on the network, using techniques such as ARP cache poisoning, compromised VPN access, or internal network compromise. The attacker then intercepts HTTP traffic between Automate agents and the server, capturing or modifying sensitive data. Leveraging the lack of update integrity verification, the attacker can substitute legitimate update packages with malicious payloads, which are then executed on managed endpoints. This attack vector is particularly insidious because it requires no user interaction and can be executed with minimal privileges, provided the attacker has network access.

Indicators of compromise include the presence of unauthorized or unexpected update files on endpoints, agent communications occurring over HTTP rather than HTTPS, network traffic containing cleartext credentials or commands, and evidence of ARP spoofing or other local network attacks. Organizations should also monitor for anomalous agent behavior, such as unexpected process launches or configuration changes.

The vulnerabilities are mapped to several MITRE ATT&CK techniques, including T1557.002 (Adversary-in-the-Middle: ARP Cache Poisoning), T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain), and T1040 (Network Sniffing). Relevant CAPEC patterns include CAPEC-94 (Adversary-in-the-Middle), CAPEC-102 (Session Sidejacking), CAPEC-117 (Interception), and CAPEC-477 (Signature Spoofing by Mixing Signed and Unsigned Content).

Exploitation in the Wild

As of the latest public advisories, there are no confirmed reports of active exploitation of CVE-2025-11492 or CVE-2025-11493 in the wild. However, ConnectWise has explicitly warned that these vulnerabilities are at high risk of being targeted due to their critical severity, ease of exploitation, and the privileged access granted by Automate agents. The attack surface is significant, as Automate is widely deployed by managed service providers (MSPs), IT service companies, and enterprise IT departments globally.

Historically, ConnectWise products have been targeted by both cybercriminal and nation-state actors, as evidenced by previous incidents involving ScreenConnect. The combination of remote code execution potential and the ability to compromise the software supply chain makes these vulnerabilities highly attractive to sophisticated threat actors. Organizations should assume that exploitation attempts will follow public disclosure and patch releases, and should proactively monitor for signs of compromise.

APT Groups using this vulnerability

No specific advanced persistent threat (APT) groups have been publicly linked to exploitation of CVE-2025-11492 or CVE-2025-11493 as of this report. Nevertheless, the attack techniques enabled by these vulnerabilities—particularly adversary-in-the-middle attacks and supply chain compromise—are consistent with the tactics, techniques, and procedures (TTPs) of several nation-state and financially motivated APT groups. Notably, ConnectWise products have previously been targeted by nation-state actors, especially in the context of ScreenConnect incidents. Given the criticality and potential impact, it is highly likely that APT groups will incorporate these vulnerabilities into their toolkits if organizations delay patching.

Affected Product Versions

All versions of ConnectWise Automate prior to 2025.9 are affected by both CVE-2025-11492 and CVE-2025-11493. This includes both on-premise and cloud deployments running any version before 2025.9. ConnectWise has already updated all cloud instances, but on-premise deployments require immediate manual intervention. The patched version, Automate 2025.9, was released on October 16, 2025. Organizations should reference the official ConnectWise Automate 2025.9 Security Fix bulletin for detailed patching instructions.

Workaround and Mitigation

The primary mitigation is to update all on-premise ConnectWise Automate servers and agents to version 2025.9 or later without delay. This update enforces HTTPS for all agent communications and implements cryptographic integrity checks for update packages and dependencies, effectively neutralizing both vulnerabilities. Organizations should verify that all agent communications are occurring over HTTPS and not HTTP, and should audit network configurations to ensure that no legacy or misconfigured agents remain.

In addition to patching, organizations should monitor for signs of network-based attacks, such as ARP spoofing or the delivery of unauthorized update files. Reviewing update logs and agent behavior for anomalies can help detect potential compromise. If there is any suspicion that cleartext credentials may have been exposed, all relevant credentials should be rotated immediately. Network segmentation and the use of strong authentication for management interfaces are also recommended to reduce the attack surface.

References

BleepingComputer: ConnectWise fixes Automate bug allowing AiTM update attacks https://www.bleepingcomputer.com/news/security/connectwise-fixes-automate-bug-allowing-aitm-update-attacks/

ConnectWise Automate 2025.9 Security Fix https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix

CVE-2025-11492 Analysis (Akaoma) https://cve.akaoma.com/cve-2025-11492

CVE-2025-11493 Detail - NVD https://nvd.nist.gov/vuln/detail/CVE-2025-11493

MITRE ATT&CK Tactics & Techniques https://attack.mitre.org/

CAPEC Attack Patterns https://capec.mitre.org/data/definitions/94.html

Rescana is here for you

Rescana is committed to helping organizations proactively manage third-party and supply chain cyber risk. Our TPRM platform provides continuous monitoring, automated risk assessment, and actionable intelligence to help you stay ahead of emerging threats. If you have questions about this advisory, need assistance with incident response, or want to learn more about how Rescana can help secure your digital ecosystem, we are here to support you. Please contact us at ops@rescana.com.