CVE-2019-16517

critical

Description

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge.

References

Advisories
More

https://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chain-exploit-20-questions-for-security-researcher-bishop-fox

https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulnerabilities-are-severe-bishop-fox

https://know.bishopfox.com/advisories

https://know.bishopfox.com/advisories/connectwise-control

https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34

Details

Source: Mitre, NVD

Published: 2020-01-23

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00264