Critical ConnectWise Automate Flaw (CVE-2025-11492, CVSS 9.6) Allows RMM Agent Man-in-the-Middle Attack

ConnectWise has released a critical security update for its Automate remote monitoring and management (RMM) platform, addressing two high-severity vulnerabilities that could allow attackers to intercept agent communications or inject malicious updates in certain configurations.

The flaws — tracked as CVE-2025-11492 and CVE-2025-11493 — affect ConnectWise Automate versions prior to 2025.9, and both carry CVSS base scores above 8.8, placing them in the high to critical risk category.

The first vulnerability, CVE-2025-11492 (CVSS 9.6), stems from a configuration issue in which Automate Agents could be set to communicate using unencrypted HTTP instead of HTTPS.

“In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic,” the CVE explained.

This means that if agents are configured incorrectly, an attacker on the same network could view sensitive data, alter communications, or even inject malicious commands into the RMM traffic.

The vulnerability is particularly dangerous because RMM tools like ConnectWise Automate have broad administrative access to managed systems — making any compromise potentially catastrophic.

To mitigate this risk, ConnectWise’s latest patch enforces HTTPS for all agent communications.

“Automate 2025.9 patch enforces HTTPS for all agent communications to mitigate these risks. Partners running on-prem servers should also ensure TLS 1.2 is enforced to maintain secure communications,” the company added.

The second flaw, CVE-2025-11493 (CVSS 8.8), involves insufficient verification of update files downloaded by the Automate Agent from its management server.

“The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations,” the advisory warns. “This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server.”

In essence, this flaw could allow an attacker who intercepts network traffic to replace legitimate update files with trojanized binaries, effectively delivering malware through the RMM’s trusted update mechanism.

ConnectWise clarified that this issue is closely related to CVE-2025-11492 and is mitigated when HTTPS is enforced between agents and servers.

The vulnerabilities affect ConnectWise Automate versions prior to 2025.9, which did not enforce secure HTTPS communications or verify update authenticity with sufficient rigor.

Cloud-hosted instances have already been secured. “Cloud instances have already been updated to the latest Automate release,” ConnectWise confirmed. “For on-prem deployments, partners must apply the 2025.9 release to address both vulnerabilities.”

Related Posts:

• CISA Adds 5 Actively Exploited Vulnerabilities to KEV Catalog: ASUS Routers, Craft CMS, and ConnectWise Targeted
• Beyond Trust: A New Campaign Is Using a Legitimate Tool to Deliver RATs
• Critical Security Vulnerabilities in ConnectWise ScreenConnect Demand Immediate Patching
• ConnectWise ScreenConnect Targeted by Nation-State Actor
• ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect