EXECUTIVE SUMMARY:
A pair of vulnerabilities have been identified in ConnectWise Automate, tracked as CVE-2025-11492 and CVE-2025-11493. These flaws affect multiple Automate Agent deployments and could allow on‑path attackers to intercept or tamper with RMM agent traffic, inject malicious updates, and achieve remote compromise of managed endpoints.
- CVE-2025-11492: This vulnerability carries a CVSS v3.1 score of 9.6 (Critical) and stems from Automate Agents being configured to use unencrypted HTTP (or otherwise allowing insecure agent-server communication). An on‑path attacker can perform a man‑in‑the‑middle (MitM) attack to intercept, modify, or replay agent-server traffic — exposing sensitive data, issuing malicious commands, or redirecting agents to attacker-controlled resources. Successful exploitation can lead to full compromise of managed systems and the management channel.
- CVE-2025-11493: Rated High severity(8.8), this flaw arises from insufficient verification of files downloaded by the Automate Agent from its management server. Through a MitM attack or compromised update server, an attacker could replace legitimate updates with malicious binaries. This effectively turns the trusted update mechanism into a distribution channel for malware, enabling remote code execution and persistent footholds across managed fleets.
These vulnerabilities pose an acute risk to managed-service and enterprise environments that rely on ConnectWise Automate for remote management—particularly where agents are deployed without enforced TLS or strict update verification.
RECOMMENDATION:
We recommend you refer below mentioned link to apply patches for CVE-2025-11492 & CVE-2025-11493 : https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/critical-connectwise-automate-flaw-cve-2025-11492-cvss-9-6-allows-rmm-agent-man-in-the-middle-attack/
