CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ConnectWise Automate vulnerabilities patched

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

ConnectWise has released a security update for its Automate product to address two vulnerabilities. The most severe, CVE-2025-11492, allows for cleartext transmission of sensitive information, potentially exposing communications to adversary-in-the-middle (AiTM) attacks. The second, CVE-2025-11493, involves a lack of integrity verification for update packages. The vulnerabilities affect on-premises deployments of Automate, a remote monitoring and management (RMM) platform used by managed service providers (MSPs) and IT departments. The update is marked as a moderate priority, and administrators are advised to install it as soon as possible. These vulnerabilities could allow attackers to intercept or modify traffic, including commands, credentials, and update payloads, potentially leading to the installation of malicious files. The Automate 2025.9 patch enforces HTTPS for all agent communications to mitigate these risks. Partners running on-prem servers should also ensure TLS 1.2 is enforced to maintain secure communications.

Timeline

  1. 17.10.2025 22:29 2 articles · 3d ago

    ConnectWise Automate vulnerabilities patched

    ConnectWise has released a security update for its Automate product to address two vulnerabilities. The most severe, CVE-2025-11492, allows for cleartext transmission of sensitive information, potentially exposing communications to adversary-in-the-middle (AiTM) attacks. The second, CVE-2025-11493, involves a lack of integrity verification for update packages. The vulnerabilities affect on-premises deployments of Automate, and administrators are advised to install the update as soon as possible. The update is marked as a moderate priority, and there is no mention of active exploitation, but the vulnerabilities pose a higher risk of being targeted. The Automate 2025.9 patch enforces HTTPS for all agent communications to mitigate these risks. Partners running on-prem servers should also ensure TLS 1.2 is enforced to maintain secure communications. CVE-2025-11492 has a CVSS score of 9.6, and CVE-2025-11493 has a CVSS score of 8.8.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Unpatched Gladinet and TrioFox Vulnerability

Active exploitation of an unpatched security flaw in Gladinet CentreStack and TrioFox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371.

Open in new tab

Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched

The critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT has been actively exploited by the cybercrime group Storm-1175 in Medusa ransomware attacks since at least September 11, 2025. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. Fortra has released patches in versions 7.8.4 and 7.6.3. The vulnerability was disclosed on September 18, 2025, but exploitation began a week earlier. The Shadowserver Foundation is monitoring over 513 GoAnywhere MFT instances exposed online, although the number of patched instances is unknown. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability enables an attacker to bypass signature verification by crafting a forged license response signature, allowing the deserialization of arbitrary, attacker-controlled objects. Successful exploitation could result in command injection and potential remote code execution (RCE) on the affected system. The threat actor used legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent to launch binaries following exploitation. The threat actor utilized RMM tools to establish command-and-control (C2) infrastructure and set up a Cloudflare tunnel for secure C2 communication. The deployment and execution of Rclone was observed in at least one victim environment during the exfiltration stage. Medusa ransomware has over 300 global victims in critical infrastructure sectors, including a confirmed attack on a US healthcare organization in early 2025. Fortra began investigating the vulnerability on September 11, 2025, following a customer report. Fortra contacted on-premises customers with publicly accessible admin consoles and notified law enforcement on September 11, 2025. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released on September 12, 2025. Full patches for versions 7.6.3 and 7.8.4 were released on September 15, 2025. The CVE for the vulnerability was formally published on September 18, 2025. Fortra confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. Fortra recommends restricting admin console access over the internet and enabling monitoring. watchTowr CEO and founder Benjamin Harris reiterated the need for transparency from Fortra regarding the private keys used in the exploit.

Open in new tab

WeepSteel Malware Deployed via Sitecore Zero-Day Exploit

Threat actors have exploited a zero-day vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) to deliver WeepSteel malware. The flaw, tracked as CVE-2025-53690, affects versions prior to 9.0 and was exploited using a sample machine key from outdated deployment guides. The attack involved ViewState deserialization, internal reconnaissance, and the deployment of various open-source tools for persistence and lateral movement. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch the vulnerability by September 25, 2025. The vulnerability has a CVSS score of 9.0, indicating critical severity. The vulnerability was addressed by Sitecore, which has provided mitigation guidance and indicators of compromise (IoCs). The attacks were quickly disrupted, but they highlight the risks associated with using default or outdated configuration settings in web applications. The WeepSteel malware, a .NET assembly, enables the harvesting of system, network, and user information, which is then encrypted and exfiltrated to the attackers. The attackers also performed extensive reconnaissance and established multiple methods of persistence, including creating local administrator accounts and using Remote Desktop Protocol (RDP) for access. The flaw is not a bug in ASP.NET itself, but a misconfiguration vulnerability created by reusing publicly documented keys that were never meant for production. The attackers targeted the '/sitecore/blocked.aspx' endpoint, which contains an unauthenticated ViewState field, and achieved RCE under the IIS NETWORK SERVICE account. The malicious payload dropped was WeepSteel, a reconnaissance backdoor that gathers system, process, disk, and network information, disguising its exfiltration as standard ViewState responses. The attackers executed reconnaissance commands including whoami, hostname, tasklist, ipconfig /all, and netstat -ano. They also deployed Earthworm (a network tunneling and reverse SOCKS proxy), Dwagent (a remote access tool), and 7-Zip (for creating archives of stolen data). The attackers escalated privileges by creating local administrator accounts ('asp$', 'sawadmin'), cached credentials dumping, and attempted token impersonating via GoTokenTheft. Persistence was secured by disabling password expiration for these accounts, giving them RDP access, and registering Dwagent as a SYSTEM service. CVE-2025-53690 impacts Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud, up to version 9.0, when deployed using the sample ASP.NET machine key included in pre-2017 documentation. XM Cloud, Content Hub, CDP, Personalize, OrderCloud, Storefront, Send, Discover, Search, and Commerce Server are not impacted. Sitecore published a security bulletin in coordination with Mandiant's report, warning that multi-instance deployments with static machine keys are also at risk. The recommended actions for potentially impacted administrators are to immediately replace all static <machineKey> values in web.config with new, unique keys, and ensure the <machineKey> element inside web.config is encrypted. It is recommended to adopt regular static machine key rotation as an ongoing security measure. The exploitation of CVE-2025-53690 is part of a broader trend of ViewState attacks this year, including vulnerabilities in Gladinet's CentreStack, ConnectWise, and Microsoft SharePoint Server.

Open in new tab

N-able N-central vulnerabilities exploited in the wild

Over 800 N-able N-central servers remain unpatched against two critical security flaws, CVE-2025-8875 and CVE-2025-8876, which have been actively exploited in the wild. These vulnerabilities allow for command execution and command injection, respectively. The issues have been addressed in N-central versions 2025.3.1 and 2024.6 HF2, released on August 13, 2025. N-able has urged customers to enable multi-factor authentication (MFA) for admin accounts to mitigate potential risks. The exploitation of these vulnerabilities highlights the importance of timely patching and robust security measures in managing remote monitoring and management (RMM) systems. The active exploitation in the wild underscores the need for vigilance and proactive security practices among cybersecurity professionals. CISA has added the flaws to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to patch their systems within one week.

Open in new tab

Trend Micro Apex One Management Console 0-Day Exploited

Trend Micro has disclosed two critical vulnerabilities in its on-premise Apex One Management Console. Both vulnerabilities are actively exploited in the wild. The vulnerabilities, CVE-2025-54948 and CVE-2025-54987, allow for command injection and remote code execution. Trend Micro has released temporary mitigations and is urging users to apply them immediately to protect against potential attacks. The vulnerabilities affect versions of the Apex One Management Console that are deployed on-premise. The exploitation of these vulnerabilities highlights the ongoing risks associated with unpatched software and the need for proactive security measures.

Open in new tab