CVE-2025-4876 – This vulnerability allows attackers to extract ... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to extract a hardcoded AES decryption key from ConnectWise Risk Assessment's password encryption utility via reverse engineering. The key can then decrypt CSV files used for authenticated network scanning, potentially exposing sensitive network credentials. Organizations using ConnectWise Risk Assessment with the vulnerable utility are affected.

💻 Affected Systems

Products:

ConnectWise Risk Assessment

Versions: All versions using ConnectWise-Password-Encryption-Utility.exe with hardcoded key

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the password encryption utility specifically; systems using this utility for CSV file decryption are vulnerable.

📦 What is this software?

Risk Assessment by Connectwise

View all CVEs affecting Risk Assessment →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers decrypt CSV files containing network credentials, gain authenticated access to internal systems, and potentially move laterally across the network.

🟠

Likely Case

Attackers extract the hardcoded key and decrypt CSV files to obtain network scanning credentials, compromising the security of scanned systems.

🟢

If Mitigated

With proper network segmentation and credential rotation, impact is limited to exposure of specific scanning credentials rather than broader network compromise.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the binary file and basic reverse engineering skills to extract the hardcoded key.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Contact ConnectWise for updated utility version
2. Replace ConnectWise-Password-Encryption-Utility.exe with patched version
3. Rotate all credentials stored in previously encrypted CSV files

🔧 Temporary Workarounds

Disable vulnerable utility

windows

Stop using ConnectWise-Password-Encryption-Utility.exe for CSV file decryption

Implement external key management

all

Replace hardcoded key with external key management system

🧯 If You Can't Patch

Restrict access to ConnectWise-Password-Encryption-Utility.exe binary files
Rotate all credentials that were ever processed through the vulnerable utility

🔍 How to Verify

Check if Vulnerable:

Check if ConnectWise-Password-Encryption-Utility.exe exists on system and contains hardcoded AES key via strings analysis

Check Version:

Not applicable - check binary properties or contact vendor

Verify Fix Applied:

Verify new utility version uses dynamic key management or external key storage

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to CSV files
Unusual network scanning activity from unexpected sources

Network Indicators:

Unexpected authenticated scanning from unauthorized IPs
Credential reuse across multiple systems

SIEM Query:

source="*csv*" AND action="decrypt" AND user!="authorized_user"

📊 Metadata

CVE ID: CVE-2025-4876

CVSS v3 Score: 6.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-321

EPSS Score: 0.02% exploit probability (3.4th percentile)

Published: May 19, 2025

Last Updated: October 2, 2025

🔗 References

https://github.com/packetlabs/vulnerability-advisory/blob/main/Disclosures/PL-2025-11315/README.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4876, you might also want to check these: