CVE-2025-11492 | THREATINT

Description

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.

PUBLISHED Reserved 2025-10-08 | Published 2025-10-16 | Updated 2025-10-17 | Assigner ConnectWise

CRITICAL: 9.6CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-319 Cleartext Transmission of Sensitive Information

Product status

Default status

unaffected

All versions prior to 2025.9

affected

References

www.connectwise.com/...nectwise-automate-2025.9-security-fix

cve.org (CVE-2025-11492)

nvd.nist.gov (CVE-2025-11492)

Download JSON