5 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Cleartext Transmission of Sensitive Information in ConnectWise Automate Agent
Identifier: CVE-2025-11492
CVSS Score: 9.6
Exploit or Proof of Concept (PoC): No
Update: ConnectWise released Automate version 2025.9, which enforces HTTPS for all agent communications to address this vulnerability. On-premises instances must be updated to version 2025.9 or later.
Description:
In versions of ConnectWise Automate prior to 2025.9, agents could be configured or default to using HTTP instead of HTTPS for communications. Because HTTP transmits data in cleartext, an attacker positioned on the network path could intercept, modify, or replay commands and data between the agent and server. Successful exploitation could result in the compromise of agent credentials, command manipulation, or remote code execution depending on the attacker's position and capabilities.
Mitigation Recommendation:
Apply the update to ConnectWise Automate version 2025.9 or newer for all on-premises servers and agents to enforce HTTPS.
Ensure that agents cannot fall back to HTTP; enforce TLS/HTTPS only in all configurations.
Restrict network access so that agent-server communication is limited to trusted endpoints and ports and protected through segmentation or firewall rules.
Rotate or reissue credentials, tokens, or certificates if interception or tampering is suspected.
Monitor network traffic for agent communications over unencrypted HTTP and investigate any anomalous agent activity or update behavior.
If patching cannot be applied immediately, use VPNs or other secure tunneling mechanisms to protect agent communications until the fix is deployed.
