ConnectWise released urgent security updates to remediate two serious flaws in its Automate platform, vulnerabilities that together permitted adversary-in-the-middle (AiTM) attacks on software updates. The first flaw, CVE-2025-11492, earned a 9.6 severity because it allowed cleartext HTTP communication instead of enforced TLS encryption. The second, CVE-2025-11493, bypassed signature and integrity checks on update packages, allowing attackers to swap in malicious components without detection.
Because Automate is commonly deployed by Managed Service Providers (MSPs) to push updates and commands across client networks, these vulnerabilities had wide-reaching implications. A successful exploit could let threat actors impersonate update servers, insert backdoored binaries, and maintain persistence across multiple environments.
Attack Chain & Exploit Tactics
First, attackers intercept unencrypted HTTP agent-server traffic under CVE-2025-11492. Since some Automate agents permitted HTTP fallback, this exposed them to interception. Next, leveraging CVE-2025-11493, adversaries served malicious updates by bypassing integrity verification routines. The combination creates a potent exploit path: they hijack update delivery, inject rogue code, and conceal their presence in trusted software flows.
ConnectWise automatically patched cloud-hosted instances to version 2025.9. However, administrators running on-premise deployments must manually apply the fixes promptly. Despite labeling the update “moderate priority,” the vendor cautioned that real-world targeting could arise very soon.
Risk Amplification in MSP & RMM Environments
Because MSPs use Automate to centrally manage endpoints across clients, a compromised MSP becomes a leverage point for cascading intrusions. Attackers could use a single foothold to compromise multiple downstream networks. In prior incidents, ConnectWise products have drawn attention from threat groups, prompting certificate rotations and code-signing hardening as reactive measures.
This exploit vector reminds defenders that trust in update channels must be conditional, not assumed. Even signed or vendor-delivered updates cannot be trusted without validation checkpoints especially in RMM ecosystems.
Mitigation & Hardening Strategy
To defend against this class of attack, follow these prioritized actions:
-
Patch Immediately Deploy the updated Automate release across both cloud and on-prem environments.
-
Enforce Encrypted Channels Only Disable HTTP fallback and require HTTPS for all agent-server traffic.
-
Integrate Integrity Checks Add additional signature or checksum validation for update payloads beyond vendor defaults.
-
Segment Update Networks Isolate RMM traffic from general network flows to reduce lateral risk.
-
Monitor Update Flows Use anomaly detection to flag unexpected payload sizes, frequencies or source changes.
-
Audit Third-Party Code-Signing Policies Limit exposure from signing materials or certificate misuse.
When layered together, these controls drastically reduce the attack surface exposed by AiTM-style update vectors.
Implications for Software Delivery & Enterprise Trust
This bug patch episode reinforces a broader industry lesson: update channels are high-value targets. Attackers shift away from mass phishing and brute force, toward manipulating trusted flows. As such, defenders must treat software delivery pipelines with the same scrutiny as network ingress points.
Enterprises should adopt zero-trust validation for updates: require multiple checks, cryptographic signatures, and behavioral baselining even on vendor-supplied patches. Particularly for orchestration, RMM, and IoT stacks, safeguarding update integrity becomes mission-critical.
FAQs
Q1: Can an attacker exploit just CVE-2025-11492 alone?
No. Alone it allows interception of traffic, but combining with CVE-2025-11493 enables actual malicious update injection.
Q2: Did ConnectWise confirm attacks in the wild?
Not definitively. The vendor warned the flaws pose a high risk of exploitation, though no confirmed active attacks were declared.
Q3: Does this patch apply to all deployment types?
Yes, cloud instances were auto-updated, but on-prem deployments require manual patching.
Q4: Does this vulnerability affect other ConnectWise products?
This specific pair affects Automate. However, similar supply-chain risks have impacted ScreenConnect and other ConnectWise products historically.
