Refine your search
3 vulnerabilities found for Automate by ConnectWise
CVE-2026-6066 (GCVE-0-2026-6066)
Vulnerability from cvelistv5
Published
2026-04-20 15:26
Modified
2026-04-20 16:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-319 - Cleartext transmission of sensitive information
Summary
ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | Automate |
Version: All versions prior to 2026.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T16:12:51.126302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T16:13:06.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Solution Center"
],
"product": "Automate",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2026.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ConnectWise has released a security update for ConnectWise Automate\u2122 that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network\u2011based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections."
}
],
"value": "ConnectWise has released a security update for ConnectWise Automate\u2122 that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network\u2011based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections."
}
],
"impacts": [
{
"capecId": "CAPEC-117",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-117 Interception"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext transmission of sensitive information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T15:26:31.843Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"url": "https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eRemediation\u003c/b\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003cu\u003eCloud:\u003c/u\u003e\u0026nbsp;\u003cspan\u003eNo action is required.\u0026nbsp;\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan\u003e\u003cu\u003eOn-Premise:\u003c/u\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eApply the 2026.4 release.\u003c/span\u003e\u003cspan\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003eFor instruction on updating to the newest release, please\nreference this doc: \u003ca href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026\"\u003eAutomate Release Notes Version 2026 - ConnectWise\u003c/a\u003e \u003c/p\u003e\u003cp\u003eAfter applying the update, on-premises customers must\nensure the following configurations are in place:\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn SSL certificate is bound to the Solution\nCenter on port 8484 to establish secure communication. Refer to the ConnectWise documentation for configuration steps: \u003ca href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/070/270/Solution_Center_Client_and_Service_HTTPS_Update\"\u003eSolution Center Client and\nService HTTPS Update - ConnectWise\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eIn some environments, antivirus or endpoint\nprotection products may interfere with the Automate patch installer or service\nbehavior during upgrades. If issues are encountered during installation or\nstartup, refer to the ConnectWise documentation for recommended antivirus\nexclusions:\u003c/span\u003e\u003cspan\u003e \u003c/span\u003e\u003ca href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/060/040/010\"\u003eAutomate Antivirus Exclusions for Windows\u003c/a\u003e\u003c/li\u003e\u003cli\u003eEnsure that the LTShare has a minimum of 1 GB of\nfree disk space prior to installation.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\n\n\n\n\n\n\n\n\u003c/p\u003e\u003cp\u003eIf you experience issues completing the update or\nrequired configuration steps, please contact \u003ca href=\"mailto:help@connectwise.com\"\u003eConnectWise\nSupport\u003c/a\u003e for assistance.\u003c/p\u003e"
}
],
"value": "Remediation\n\n\n\nCloud:\u00a0No action is required.\u00a0\n\nOn-Premise:\u00a0Apply the 2026.4 release.\n\n\nFor instruction on updating to the newest release, please\nreference this doc: Automate Release Notes Version 2026 - ConnectWise https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026 \n\nAfter applying the update, on-premises customers must\nensure the following configurations are in place:\n\n\n\n * An SSL certificate is bound to the Solution\nCenter on port 8484 to establish secure communication. Refer to the ConnectWise documentation for configuration steps: Solution Center Client and\nService HTTPS Update - ConnectWise\n * In some environments, antivirus or endpoint\nprotection products may interfere with the Automate patch installer or service\nbehavior during upgrades. If issues are encountered during installation or\nstartup, refer to the ConnectWise documentation for recommended antivirus\nexclusions: Automate Antivirus Exclusions for Windows https://docs.connectwise.com/ConnectWise_Automate_Documentation/060/040/010 \n * Ensure that the LTShare has a minimum of 1 GB of\nfree disk space prior to installation.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nIf you experience issues completing the update or\nrequired configuration steps, please contact ConnectWise\nSupport for assistance."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unencrypted Client\u2011Server Communication in ConnectWise Automate\u2122 Solution Center",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2026-6066",
"datePublished": "2026-04-20T15:26:31.843Z",
"dateReserved": "2026-04-10T13:19:03.212Z",
"dateUpdated": "2026-04-20T16:13:06.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11493 (GCVE-0-2025-11493)
Vulnerability from cvelistv5
Published
2025-10-16 19:00
Modified
2026-02-26 16:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-494 - Download of Code Without Integrity Check
Summary
The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | Automate |
Version: All versions prior to 2025.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-17T03:55:32.566730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:57:24.641Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automate",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2025.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492."
}
],
"value": "The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492."
}
],
"impacts": [
{
"capecId": "CAPEC-186",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-186 Malicious Software Update"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494 Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:00:39.119Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eCloud:\u0026nbsp;\u003c/b\u003eCloud instances have already been updated to the latest\nAutomate release. \u0026nbsp;\u0026nbsp;\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003cb\u003eOn-premise\u003c/b\u003e: Apply the 2025.9\nrelease.\u003c/p\u003e\n\n\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Cloud:\u00a0Cloud instances have already been updated to the latest\nAutomate release. \u00a0\u00a0\n\n\n\n\n\n\n\nOn-premise: Apply the 2025.9\nrelease."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Self-Update Verification Mechanism Process in ConnectWise Automate",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2025-11493",
"datePublished": "2025-10-16T19:00:39.119Z",
"dateReserved": "2025-10-08T11:26:01.814Z",
"dateUpdated": "2026-02-26T16:57:24.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11492 (GCVE-0-2025-11492)
Vulnerability from cvelistv5
Published
2025-10-16 18:59
Modified
2026-02-26 16:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Summary
In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | Automate |
Version: All versions prior to 2025.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-17T03:55:31.830163Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:57:25.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Agent"
],
"product": "Automate",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2025.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e"
}
],
"value": "In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications."
}
],
"impacts": [
{
"capecId": "CAPEC-94",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-94 Adversary in the Middle (AiTM)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:59:35.285Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eCloud:\u0026nbsp;\u003c/b\u003eCloud instances have already been updated to the latest\nAutomate release. \u0026nbsp;\u0026nbsp;\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003cb\u003eOn-premise:\u0026nbsp;\u003c/b\u003eApply the 2025.9\nrelease.\u003c/p\u003e\n\n\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Cloud:\u00a0Cloud instances have already been updated to the latest\nAutomate release. \u00a0\u00a0\n\n\n\n\n\n\n\nOn-premise:\u00a0Apply the 2025.9\nrelease."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTTP Configuration and Encryption in Transit",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2025-11492",
"datePublished": "2025-10-16T18:59:35.285Z",
"dateReserved": "2025-10-08T11:25:59.180Z",
"dateUpdated": "2026-02-26T16:57:25.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}