CVE-2025-11492

high

Description

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.

References

References
More

https://www.securityweek.com/connectwise-patches-critical-flaw-in-automate-rmm-tool/

https://www.bleepingcomputer.com/news/security/connectwise-fixes-automate-bug-allowing-aitm-update-attacks/

https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix

Details

Source: Mitre, NVD

Published: 2025-10-16

Updated: 2025-10-29

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:A/AC:H/Au:N/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.0001