CVE-2025-11492
📋 TL;DR
CVE-2025-11492 allows man-in-the-middle attacks against ConnectWise Automate Agent when configured to use HTTP instead of HTTPS. An attacker on the network path could intercept, modify, or replay communications between agents and servers. All ConnectWise Automate deployments with vulnerable agent configurations are affected.
💻 Affected Systems
- ConnectWise Automate Agent
📦 What is this software?
Automate by Connectwise
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of agent-server communications allowing credential theft, malware deployment, data exfiltration, and lateral movement across managed endpoints.
Likely Case
Interception of sensitive data (credentials, configuration details) and potential injection of malicious commands into agent communications.
If Mitigated
Limited to denial of service or reconnaissance if proper network segmentation and monitoring are in place.
🎯 Exploit Status
Exploitation requires network position between agent and server, but no authentication or special privileges needed once positioned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ConnectWise Automate 2025.9
Vendor Advisory: https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix
Restart Required: Yes
Instructions:
1. Update ConnectWise Automate server to version 2025.9. 2. Deploy updated agents to all endpoints. 3. Verify all communications are using HTTPS. 4. Restart both server and agents.
🔧 Temporary Workarounds
Enforce HTTPS Configuration
allManually configure all agent communications to use HTTPS only
Edit agent configuration files to set 'UseSSL=true' and specify proper HTTPS endpoints
Network Segmentation
allIsolate agent-server communications to trusted network segments
Implement VLAN segmentation, firewall rules to restrict agent traffic to specific paths
🧯 If You Can't Patch
- Implement strict network monitoring for unencrypted agent communications
- Deploy network-level TLS inspection/proxy to enforce HTTPS for all agent traffic
🔍 How to Verify
Check if Vulnerable:
Check agent configuration files for HTTP endpoints or UseSSL=false settings. Monitor network traffic for unencrypted agent communications on default ports.Check Version:
On Windows: 'wmic product where name="ConnectWise Automate Agent" get version' or check agent UI. On Linux: Check agent installation directory version files.Verify Fix Applied:
Confirm all agent configurations specify HTTPS endpoints and UseSSL=true. Verify network traffic shows TLS encryption for agent communications.📡 Detection & Monitoring
Log Indicators:
- Agent connection failures after HTTPS enforcement
- Unusual agent reconnection patterns
- Configuration change logs showing HTTP to HTTPS migration
Network Indicators:
- Unencrypted traffic on agent communication ports (typically 80/8080 for HTTP)
- SSL/TLS handshake failures for agent connections
- Unexpected proxy or MITM devices in agent-server path
SIEM Query:
source="agent_logs" AND (event="connection_error" OR event="config_change") | search "HTTP" OR "UseSSL=false"