ConnectWise has issued a critical security update for its Automate platform after uncovering vulnerabilities that could allow attackers to intercept and tamper with software updates.
The flaws, present in on-premises installations configured to use unsecured communication channels, put organizations at risk of deploying malicious code under the guise of routine patches.
ConnectWise Automate 2025.9, released on October 16, 2025, addresses these weaknesses by enforcing HTTPS for all agent communications.
Unsecured Channels Expose Critical Communications
In some deployments of ConnectWise Automate, agents were permitted to communicate with the server over plain HTTP or rely on weaker encryption settings.
This configuration exposed sensitive traffic to network-based adversaries who could both read and alter data in transit.
By exploiting the flaws, attackers can inject malicious payloads into the update process, causing compromised agents to install unauthorised software that appears legitimate.
The risk is particularly high for environments where on-premise servers are not configured to enforce TLS 1.2 or higher, leaving agent communications vulnerable to interception and modification.
Two distinct vulnerabilities underlie the risk:
| CVE | CWE ID | Description | Base Score | Vector |
| CVE-2025-11492 | CWE-319 | Cleartext Transmission of Sensitive Information | 9.6 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVE-2025-11493 | CWE-494 | Download of Code Without Integrity Check | 8.8 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Both issues earned high CVSS 3.1 scores, reflecting the severe impact an attacker-controlled network could have on the confidentiality, integrity, and availability of agent communications.
The cleartext transmission flaw (CVE-2025-11492) allows complete data disclosure and modification, while the integrity gap (CVE-2025-11493) enables installation of unauthorised code even when encryption is in place.
ConnectWise Automate 2025.9 implements mandatory HTTPS connections for all agent traffic, closing the window for plain-text interception.
Partners operating on-premises must verify that their servers reject HTTP and enforce TLS 1.2 or newer. Cloud-hosted instances have already received the update, ensuring secure delivery of future patches.
Administrators running affected versions before 2025.9 should apply the new release immediately to prevent exploitation.
Organizations using on-premises servers should download and install ConnectWise Automate 2025.9 without delay.
After updating, confirm that agent-to-server connections require HTTPS and that TLS 1.2 is enforced. For detailed instructions, refer to the official release notes: ConnectWise Automate Release Notes 2025.9.
By promptly applying the security fix and strengthening transport encryption, ConnectWise customers can safeguard against malicious update deliveries and protect their automated management infrastructure from emerging threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
