CVE-2025-11493 | THREATINT

Description

The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492.

PUBLISHED Reserved 2025-10-08 | Published 2025-10-16 | Updated 2025-10-17 | Assigner ConnectWise

HIGH: 8.8CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-494 Download of Code Without Integrity Check

Product status

Default status

unaffected

All versions prior to 2025.9

affected

References

www.connectwise.com/...nectwise-automate-2025.9-security-fix

cve.org (CVE-2025-11493)

nvd.nist.gov (CVE-2025-11493)

Download JSON