A newly disclosed set of high-severity vulnerabilities in ConnectWise’s Automate remote monitoring and management (RMM) platform has triggered an urgent call for patching among managed service providers (MSPs) and IT administrators. ConnectWise released Automate version 2025.9 to mitigate the risks, with cloud-hosted instances updated automatically and on-premises installations requiring manual intervention. The flaws, tracked as CVE-2025-11492 and CVE-2025-11493, open the door to adversary-in-the-middle (AitM) attacks and malicious update injections—raising serious concerns for any organizations relying on Automate for critical infrastructure management.
Vulnerabilities in Agent Communication Mechanisms Led to Elevated Risk
Technical misconfigurations affecting encryption and integrity checks could be chained for takeover attacks.
The most critical issue, CVE-2025-11492, carries a CVSS score of 9.6 and arises from a configuration loophole that allows Automate agents to communicate with their centralized servers over unencrypted HTTP rather than HTTPS. This oversight exposes those communications to interception and manipulation—enabling AitM attacks that can compromise credentials, configuration data, or even permit command injection.
CVE-2025-11493, rated at CVSS 8.8, involves a lack of cryptographic integrity verification in update packages and their embedded dependencies. Threat actors exploiting this flaw could impersonate a legitimate ConnectWise server to serve spoofed or malicious update payloads to connected agents. When used in combination, these vulnerabilities provide an attack path for inserting arbitrary code into managed systems, even without direct access to the servers.
Key risks include:
- Interception of security credentials, remote commands, and sensitive client data
- Injection of malicious scripts or binaries masquerading as official updates
- Threat propagation across multi-tenant environments via a single compromised agent
On-Premises ConnectWise Instances Remain at Risk Unless Manually Patched
Cloud users are protected automatically, but on-prem setups require urgent hands-on intervention.
In its advisory published October 16, ConnectWise confirmed the vulnerabilities affect all Automate versions prior to 2025.9. While cloud-hosted deployments of ConnectWise Automate have already received automatic updates, on-premises environments remain exposed unless the new version is manually installed.
ConnectWise emphasized that the patch not only enforces HTTPS for all agent-server communication but also recommends enabling TLS 1.2 or higher to mitigate the risk of protocol downgrade attacks. Organizations are urged to:
- Apply the 2025.9 patch immediately to all on-prem instances of Automate.
- Re-audit configurations to ensure encryption enforcement and removal of legacy HTTP channels.
- Monitor network traffic for suspicious activity suggesting prior compromise or ongoing attack attempts.
Despite the absence of confirmed in-the-wild exploitation at the time of publication, the architecture of the flaws and their potential use in sophisticated supply chain attacks make them high-value targets for threat actors.
Managed Service Providers Face Elevated Supply Chain Exposure
MSPs using ConnectWise in multi-tenant environments could see cascading effects from a single point of failure.
Security analysts have warned that the design of many MSP networks exacerbates the impact of these vulnerabilities. If just one agent in a shared environment is compromised due to unencrypted communication or forged updates, the breach could extend to multiple downstream clients.
“In a multi-tenant architecture, lateral movement from one compromised agent to other systems becomes much more feasible,” noted experts responding to ConnectWise’s advisory. “Mitigation requires endpoint patching and systemic hardening of the RMM ecosystem.”
These concerns closely mirror prior incidents involving other ConnectWise products. In early 2024, a separate vulnerability in ScreenConnect (CVE-2024-1709) allowed attacker-controlled admin account creation without authentication. That flaw saw confirmed exploitation and drew warnings from the Australian Cyber Security Centre. In April 2025, remote code execution vulnerabilities were discovered in ConnectWise’s Server Backup Manager and R1Soft products, again prompting rapid patch issuance and cross-industry concern.
Action Steps for Enterprises and MSPs Using ConnectWise Automate
All users of affected versions are advised to treat this as a critical infrastructure risk.
With no workaround available short of applying the update, organizations should prioritize the following actions:
- Manually upgrade all on-premises deployments of ConnectWise Automate to version 2025.9.
- Enforce HTTPS across all agent configurations and verify that TLS 1.2 or higher is in use.
- Enable integrity verification checks for update delivery systems and validate all components in the chain.
- Review system logs and network traffic from before the patch to check for any signs of compromise.
- For MSPs, audit all customer environments that rely on the Automate agent to assess exposure.
While ConnectWise rated the flaws as “Important” with a moderate priority level, many security professionals are urging faster response times due to the increasing likelihood of opportunistic targeting by threat actors.
A Pivotal Moment for Trust in RMM Tools
The Automate patch highlights the growing sensitivity around tools that manage critical IT infrastructure.
Remote monitoring and management platforms are prime targets for attackers because of their broad visibility and control over enterprise environments. This latest ConnectWise vulnerability serves as a sharp reminder that strong encryption and integrity protections are not optional—they are essential for trust and system resilience.
With threat actors continually seeking access to upstream management layers, failure to secure RMM tools like ConnectWise Automate can lead to widespread breaches reaching far beyond a single organization’s perimeter.
Security teams responsible for ConnectWise deployments are advised to stay vigilant, review vendor advisories regularly, and adopt a conservative patching policy—prioritizing immediate deployment over operational delay when critical flaws like CVE-2025-11492 and CVE-2025-11493 are found.
