Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-11493

CVE-2025-11493: ConnectWise Automate Auth Bypass Flaw

CVE-2025-11493 is an authentication bypass vulnerability in ConnectWise Automate Agent that allows attackers to substitute malicious files via man-in-the-middle attacks. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-11493 Overview

CVE-2025-11493 affects the ConnectWise Automate Agent, which does not fully verify the authenticity of files downloaded from the server. Affected file categories include software updates, dependencies, and integrations. An on-path attacker positioned on the network can perform a man-in-the-middle (MITM) attack and substitute malicious files for legitimate ones by impersonating a legitimate server. The vulnerability is tracked under [CWE-494] (Download of Code Without Integrity Check) and is related to CVE-2025-11492. Enforcing HTTPS mitigates the risk.

Critical Impact

An adjacent network attacker can deliver malicious code to managed endpoints by impersonating the Automate server, leading to remote code execution on every agent that accepts the substituted payload.

Affected Products

  • ConnectWise Automate (versions prior to 2025.9)
  • ConnectWise Automate Agent components handling updates, dependencies, and integrations
  • Deployments where HTTPS is not enforced for agent-server communication

Discovery Timeline

  • 2025-10-16 - CVE-2025-11493 published to the National Vulnerability Database (NVD)
  • 2025-10-29 - Last updated in NVD database

Technical Details for CVE-2025-11493

Vulnerability Analysis

The ConnectWise Automate Agent retrieves files from the management server during normal operation. These files include update packages, runtime dependencies, and integration modules executed on managed endpoints. The agent does not fully validate the authenticity of these files before processing them. An attacker on the same network path can intercept the request and respond with attacker-controlled content.

Because the substituted files are treated as trusted server-provided binaries, the agent can execute them with the privileges of the Automate service. This converts a network position into code execution across every managed endpoint that fetches the tampered payload. The flaw is closely related to CVE-2025-11492 and shares the same root condition of missing integrity enforcement.

Root Cause

The root cause is the absence of cryptographic verification, such as code signing or transport-layer certificate validation, on files retrieved from the server. Without a signature check or strict HTTPS enforcement, the agent cannot distinguish a legitimate server response from one produced by an attacker impersonating that server.

Attack Vector

Exploitation requires an adjacent network position, for example ARP spoofing on a local segment, a compromised router, or a hostile Wi-Fi gateway between the agent and the Automate server. The attacker intercepts an outbound file request from the agent and returns a malicious replacement. Successful exploitation results in code execution on the endpoint running the agent. No user interaction or authentication is required.

No public proof-of-concept exploit is available for CVE-2025-11493. The vulnerability mechanism is described in prose in the ConnectWise Security Bulletin.

Detection Methods for CVE-2025-11493

Indicators of Compromise

  • Unexpected child processes spawned by the Automate agent service, particularly shortly after an update or integration download.
  • Unsigned or unexpectedly signed binaries written to Automate agent installation and working directories.
  • Agent network traffic to the Automate server over plain HTTP rather than HTTPS.
  • Certificate or TLS handshake anomalies between agents and the configured Automate server.

Detection Strategies

  • Monitor process creation events where the Automate agent service is the parent of a newly downloaded binary, then correlate with file write events in agent directories.
  • Inspect network telemetry for agent connections that fail to negotiate TLS or that connect to unexpected IP addresses for the configured server hostname.
  • Compare hashes of agent-delivered update and integration files against known-good vendor hashes.

Monitoring Recommendations

  • Enable TLS inspection or netflow logging on segments hosting Automate agents to identify cleartext or redirected sessions.
  • Alert on ARP table changes, gratuitous ARP, and rogue DHCP activity on networks that carry agent-to-server traffic.
  • Track ConnectWise security bulletin advisories for updated indicators tied to CVE-2025-11493 and CVE-2025-11492.

How to Mitigate CVE-2025-11493

Immediate Actions Required

  • Upgrade ConnectWise Automate to version 2025.9 or later as directed in the vendor advisory.
  • Enforce HTTPS for all agent-to-server communication and disable any fallback to HTTP.
  • Validate that all Automate servers present trusted, non-expired TLS certificates and that agents reject invalid certificates.
  • Inventory managed endpoints and confirm each agent has connected to a patched server after the upgrade.

Patch Information

ConnectWise released a security fix in Automate 2025.9. Details are provided in the ConnectWise Automate 2025.9 Security Fix bulletin. Administrators should apply the patch to both the Automate server and deployed agents.

Workarounds

  • Enforce HTTPS-only communication between agents and the Automate server, which the vendor identifies as a mitigating control.
  • Segment Automate server and agent traffic onto trusted network paths to reduce exposure to adjacent-network attackers.
  • Deploy mutual TLS or certificate pinning at the network layer where supported to limit server impersonation.
  • Restrict administrative access to network infrastructure that handles agent traffic to reduce MITM opportunities.
bash
# Verify agent endpoints are configured to use HTTPS only
# Replace <automate-server> with your server FQDN
curl -v https://<automate-server>/ 2>&1 | grep -E "SSL connection|subject:|issuer:"

# Confirm no agent configuration references http:// for the server URL
findstr /S /I "http://" "%ProgramData%\LabTech\*.config"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne