Aggregates CVE and security vulnerability intelligence across all connectwise-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting, vendor risk csrf, vendor risk xxe, and vendor risk path handling and related problems; some flaws may lead to vendor impact data exposure.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-6066 | ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections. | 7d616e1a-3288-43b1-a0dd-0a65d3e70a49 | 7.1 | 0.01% | 2026-04-20 | 2026-04-23 |
| CVE-2026-0696 | In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values. | 7d616e1a-3288-43b1-a0dd-0a65d3e70a49 | 6.5 | 0.02% | 2026-01-16 | 2026-01-27 |
| CVE-2026-0695 | In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed. | 7d616e1a-3288-43b1-a0dd-0a65d3e70a49 | 8.7 | 0.03% | 2026-01-16 | 2026-01-27 |
| CVE-2025-14823 | In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively | 7d616e1a-3288-43b1-a0dd-0a65d3e70a49 | 5.3 | 0.02% | 2025-12-18 | 2026-01-16 |
| CVE-2025-14265 | In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 i | 7d616e1a-3288-43b1-a0dd-0a65d3e70a49 | 9.1 | 0.05% | 2025-12-11 | 2026-01-16 |
| CVE-2025-11493 | The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492. | 7d616e1a-3288-43b1-a0dd-0a65d3e70a49 | 8.8 | 0.01% | 2025-10-16 | 2025-10-29 |
| CVE-2025-11492 | In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications. | 7d616e1a-3288-43b1-a0dd-0a65d3e70a49 | 9.6 | 0.01% | 2025-10-16 | 2025-10-29 |
| CVE-2025-7204 | In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sensitive user information. Specific API requests were found to return an overly verbose user object, which included encrypted password hashes for other users. Authenticated users could then retrieve these hashes. An attacker or privileged user could then use these exposed hashes to conduct offline brute-force or dictionary attacks. Such attacks could lead to credential compro | 7d616e1a-3288-43b1-a0dd-0a65d3e70a49 | 6.5 | 0.31% | 2025-07-09 | 2025-08-20 |
| CVE-2025-4876 | ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning. | 7d616e1a-3288-43b1-a0dd-0a65d3e70a49 | 6.0 | 0.01% | 2025-05-19 | 2025-10-02 |
| CVE-2025-3935 KEV | ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution | 7d616e1a-3288-43b1-a0dd-0a65d3e70a49 | 8.1 | 12.03% | 2025-04-25 | 2025-10-24 |
| CVE-2024-1709 KEV | ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. | 9119a7d8-5eab-497f-8521-727c672e3725 | 10.0 | 94.35% | 2024-02-21 | 2026-02-26 |
| CVE-2024-1708 KEV | ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. | 9119a7d8-5eab-497f-8521-727c672e3725 | 8.4 | 85.01% | 2024-02-21 | 2026-04-28 |
| CVE-2023-47257 | ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via crafted messages. | [email protected] | 8.1 | 6.72% | 2024-02-01 | 2025-05-07 |
| CVE-2023-47256 | ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings | [email protected] | 5.5 | 0.05% | 2024-02-01 | 2025-06-17 |
| CVE-2023-25719 | ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executab | [email protected] | 8.8 | 0.50% | 2023-02-13 | 2025-06-19 |
| CVE-2023-25718 | In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. | [email protected] | 9.8 | 0.40% | 2023-02-13 | 2025-06-19 |
| CVE-2023-23130 | Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Authentication is being done via HTTP (cleartext) with SSL disabled. OTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting. | [email protected] | 5.9 | 0.16% | 2023-02-01 | 2024-11-21 |
| CVE-2023-23128 | Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no risk from this behavior. The vulnerability report is thus not valid. | [email protected] | 6.1 | 0.19% | 2023-02-01 | 2025-03-27 |
| CVE-2023-23127 | In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting. | [email protected] | 5.3 | 0.15% | 2023-02-01 | 2024-11-21 |
| CVE-2023-23126 | Connectwise Automate 2022.11 is vulnerable to Clickjacking. The login screen can be iframed and used to manipulate users to perform unintended actions. NOTE: the vendor's position is that a Content-Security-Policy HTTP response header is present to block this attack. | [email protected] | 6.1 | 0.28% | 2023-02-01 | 2024-11-21 |