Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | ConnectWise Automate Flaws Allow Fake Updates: CVE-2025-11492 and CVE-2025-11493
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
May 25, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
May 22, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Oct 20, 2025
4 Mins Read
Moon

ConnectWise Automate Flaws Allow Fake Updates: CVE-2025-11492 and CVE-2025-11493

When trusted IT management platforms reveal cracks in their armor, every second counts. The latest update for ConnectWise Automate addresses two high-impact flaws that could expose sensitive communications or even allow tampering with software updates.

Here’s what you need to know about these vulnerabilities, how they could affect your environment, and what steps to take right now.

What Are the New ConnectWise Automate Vulnerabilities?

The vulnerabilities, tracked as CVE-2025-11492 and CVE-2025-11493, stem from improper use of unsecured communication protocols and missing integrity checks during updates. Both could be exploited by attackers positioned within a network to intercept or manipulate agent traffic.

  • CVE-2025-11492 (CVSS 9.6): This vulnerability involves agents transmitting data without encryption when configured to use HTTP instead of HTTPS. Such unencrypted communications can be intercepted or modified by an attacker monitoring network traffic, leading to exposure of credentials or commands.
Details of CVE-2025-11492 (SOCRadar Vulnerability Intelligence)

Details of CVE-2025-11492 (SOCRadar Vulnerability Intelligence)

  • CVE-2025-11493 (CVSS 8.8): This flaw results from missing integrity verification in the update process. It could allow attackers to inject malicious or tampered update files that appear legitimate, allowing unauthorized code execution on managed systems.
SOCRadar’s Cyber Threat Intelligence module delivers real-time insights on emerging CVEs, exploit activity, and hacker chatter – helping security teams to act before vulnerabilities are weaponized.

SOCRadar’s Cyber Threat Intelligence module delivers real-time insights on emerging CVEs, exploit activity, and hacker chatter – helping security teams to act before vulnerabilities are weaponized.

Which Software and Versions Are Affected?

ConnectWise confirmed that these vulnerabilities impact on-premises deployments of ConnectWise Automate running versions prior to 2025.9.

The primary exposure lies with organizations hosting on-prem Automate servers that still allow HTTP or outdated encryption methods. Cloud-based instances are already patched automatically.

How Could Attackers Exploit These Flaws?

In affected setups, agents communicating over HTTP or with weak encryption could have their traffic captured and altered. An adversary positioned on the same network could execute a Man-in-the-Middle (MitM) attack to read commands, harvest credentials, or inject malware-laced updates.

Exploiting CVE-2025-11492 and CVE-2025-11493, attackers could replace legitimate updates with their own code, gaining remote control over managed systems while remaining undetected. Given that Automate servers typically control large numbers of endpoints, the potential fallout could be significant.

Attackers consistently target remote management tools. In February 2024, ConnectWise ScreenConnect vulnerabilities CVE‑2024‑1708 and CVE‑2024‑1709 were exploited in the wild, allowing attackers to bypass authentication and access internal systems remotely. Later, in July 2025, another ScreenConnect flaw (CVE‑2025‑3935) demonstrated how threat actors leveraged unpatched servers to gain administrative control over managed networks.

What Changes Does ConnectWise Automate 2025.9 Introduce?

The 2025.9 release, issued on October 16, 2025, enforces HTTPS for all agent communications and strengthens encryption requirements. Partners managing on-premises Automate servers must confirm that TLS 1.2 is enforced to maintain secure, encrypted data exchanges between agents and servers.

This update eliminates the use of unsecured HTTP connections, ensuring that sensitive communications and update deliveries are protected from interception or tampering.

How Can Organizations Mitigate These Risks?

  • Apply the update immediately: On-prem users should upgrade to Automate 2025.9 without delay.
  • Verify secure protocols: Ensure all agent connections require HTTPS and that TLS 1.2+ is enforced.
  • Restrict network access: Limit exposure of Automate servers to untrusted networks.
  • Monitor for unusual activity: Check for any unexplained update behavior or traffic anomalies.

Cloud customers are already protected, but on-prem administrators must act quickly. For detailed remediation steps, refer to the official ConnectWise advisory.

Monitor company assets and vulnerabilities with SOCRadar ASM

Monitor company assets and vulnerabilities with SOCRadar ASM

Discover and secure every digital asset that belongs to your organization. SOCRadar’s Attack Surface Management (ASM) module continuously scans for exposed services, misconfigurations, and shadow IT, giving you full visibility to reduce risk before threat actors find your weaknesses.