ConnectWise released a security update to address vulnerabilities in the Automate product, including one with critical severity, which could expose sensitive communications to interception and modification.
ConnectWise Automate is a remote monitoring and management (RMM) platform used by managed service providers (MSPs), IT services companies, and internal IT departments in large enterprises.
In a typical deployment, it acts as a central management hub with high privileges to control thousands of client machines.
The most serious defects fixed by the vendor are tracked CVE-2025-11492With a severity rating of 9.6, the vulnerability allows clear text transmission of sensitive information.
In particular, agents can be configured to communicate over insecure HTTP instead of encrypted HTTPS, which can be used in adversary-in-the-middle (AITM) attacks to intercept or modify traffic, including command, credential, and update payloads.
“In on-premises environments, agents may be configured to use HTTP or rely on encryption, which could allow a network-based adversary to view or modify traffic or replace malicious updates,” ConnectWise explains,
Second vulnerability has been identified CVE-2025-11493 (8.8 severity score) and includes the lack of integrity verification (checksum or digital signature) for updated packages along with their dependencies and integrations.
Combining the two security issues, an attacker can push malicious files (e.g. malware, updates) as legitimate ones by impersonating a legitimate ConnectWise server.
ConnectWise marks the security update as medium priority. The company has addressed both issues for cloud-based instances, which have been updated to the latest Automate release, 2025.9.
The vendor’s recommendation for administrators of on-premise deployments is to take action as quickly as possible (within days) and install the new release.
The security bulletin does not mention active exploitation, but warns that the vulnerabilities have “a higher risk of being targeted by wild exploitation.”
Threat actors have taken advantage of potentially serious vulnerabilities in ConnectWise products in the past. Earlier this year, nation-state actors directly breached the company’s environment, an attack that affected several ScreenConnect customers downstream.
The incident forced the vendor to rotate all digital code signing certificates with which it verified executables for a range of products, to reduce the risk of abuse.
Passwords were cracked in 46% of environments, almost double from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at prevention, detection, and more findings on data intrusion trends.
