A critical vulnerability has been identified in ConnectWise Automate products, assigned a CVSS score of 9.6. The flaw allows an attacker with a network position to intercept unencrypted communications between the Automate agent and its server, potentially leading to data theft, command injection, and a complete compromise of managed systems. Organizations are urged to apply updates immediately to mitigate the risk of widespread system takeover.

The vulnerability exists in the ConnectWise Automate Agent's communication protocol. If the agent is configured to use unencrypted HTTP instead of HTTPS, all data transmitted between the agent and the server is sent in cleartext. An attacker with a Man-in-the-Middle (MitM) position on the network can intercept this traffic. This allows the threat actor to read sensitive information, modify legitimate commands in transit, or inject malicious commands, ultimately leading to remote code execution and full administrative control over the endpoint.

This vulnerability is rated as critical severity with a CVSS score of 9.6. Exploitation could have a devastating impact on the business. Since ConnectWise Automate is a Remote Monitoring and Management (RMM) tool with high privileges on managed endpoints, a successful attack could grant a threat actor administrative access to a significant portion, or all, of an organization's IT infrastructure. This could lead to mass deployment of ransomware, widespread data exfiltration of sensitive corporate or customer information, severe business disruption, and significant financial and reputational damage.

Immediate Action: Immediately apply the security updates provided by ConnectWise to all affected Automate instances and agents as per the vendor's recommendation. After patching, review server and agent logs for any indicators of compromise, such as unusual administrative actions or unexpected configuration changes that may have occurred prior to the update.

Proactive Monitoring:

• Network Traffic: Use network monitoring tools to inspect traffic between Automate agents and the server. Actively search for and alert on any unencrypted HTTP traffic (typically on port 80) originating from agents. All legitimate communication should be encrypted over HTTPS (typically on port 443).
• Log Analysis: Review ConnectWise Automate logs for unauthorized access, unexpected script execution, or changes to agent communication settings.
• Endpoint Behavior: Monitor managed endpoints for anomalous activity, such as the creation of new user accounts, unexpected software installations, or outbound connections to suspicious IP addresses.

Compensating Controls:

• Enforce TLS: If patching is delayed, immediately reconfigure all agents to enforce communication over HTTPS only. Disable HTTP communication within the Automate server settings if possible.
• Network Segmentation: Isolate the ConnectWise Automate server and restrict access to it. Implement network controls to reduce the risk of an attacker gaining an on-path position between agents and the server.
• Intrusion Detection/Prevention Systems (IDS/IPS): Configure network security tools to detect and block traffic patterns indicative of MitM attacks.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization and must be addressed with the highest priority. Given the CVSS score of 9.6 and the potential for complete network compromise, we strongly recommend that the vendor-supplied patches be applied immediately across all affected systems. Although this CVE is not yet listed on the CISA KEV catalog, the severity and platform targeted make it a likely candidate for future exploitation. Proactive patching and implementation of the recommended monitoring controls are essential to defend against this threat.