Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-11492

CVE-2025-11492: ConnectWise Automate Info Disclosure Flaw

CVE-2025-11492 is an information disclosure vulnerability in ConnectWise Automate Agent allowing man-in-the-middle attacks via HTTP communications. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-11492 Overview

CVE-2025-11492 affects the ConnectWise Automate Agent when configured to use HTTP instead of HTTPS for agent-server communications. An attacker positioned on the network path can intercept, modify, or replay traffic between the agent and the Automate server. The vulnerability is classified under CWE-319: Cleartext Transmission of Sensitive Information. ConnectWise addressed the issue in Automate 2025.9 by enforcing HTTPS for all agent communications and updating the encryption method used to obfuscate traffic over the HTTP channel.

Critical Impact

An on-path attacker with a man-in-the-middle position can intercept and tamper with agent-server traffic, potentially pushing malicious commands or scripts to managed endpoints.

Affected Products

  • ConnectWise Automate (versions prior to 2025.9)
  • ConnectWise Automate Agent deployments configured for HTTP transport
  • Managed endpoints reporting to an Automate server over cleartext channels

Discovery Timeline

  • 2025-10-16 - CVE-2025-11492 published to NVD
  • 2025-10-29 - Last updated in NVD database

Technical Details for CVE-2025-11492

Vulnerability Analysis

The ConnectWise Automate Agent supports configuration profiles that route management traffic over HTTP rather than HTTPS. When deployed in this mode, the agent transmits commands, scripts, inventory data, and obfuscated payloads across the network without Transport Layer Security (TLS) protection. The encryption layer applied to some HTTP-channel communications is insufficient to prevent a network-positioned attacker from manipulating the data stream.

An attacker on the same broadcast domain, VPN segment, or upstream network device can perform Address Resolution Protocol (ARP) poisoning, DNS spoofing, or rogue gateway attacks to position themselves between agents and the Automate server. Once on-path, the attacker can read agent telemetry, replay prior commands, or inject crafted responses that the agent processes as legitimate server instructions.

The attack complexity is elevated because the adversary must hold an adjacent network position and the target environment must be configured for HTTP transport. However, successful exploitation grants the attacker influence over a remote management channel that typically executes with high privileges on managed hosts.

Root Cause

The root cause is the availability of an HTTP transport option combined with a custom obfuscation routine that does not provide the integrity and confidentiality guarantees of TLS. Cleartext or weakly encrypted management traffic exposes both the contents and the control flow of agent-server exchanges.

Attack Vector

Exploitation requires adjacent network access and no authentication or user interaction. The attacker observes HTTP traffic to the Automate server, then modifies request or response bodies to alter agent behavior. Because the Automate Agent executes commands distributed by the server, message tampering can translate directly into code execution on managed endpoints.

No public proof-of-concept exploit is available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-11492

Indicators of Compromise

  • Outbound Automate Agent traffic on TCP port 80 instead of TCP port 443 to the management server
  • Agent configuration files referencing http:// URLs for the server address rather than https://
  • Unexpected ARP table changes or duplicate MAC addresses on network segments hosting managed endpoints
  • Automate command history showing scripts or actions that were not initiated by an administrator

Detection Strategies

  • Inspect network flow records for any ConnectWise Automate Agent process initiating connections to remote hosts over cleartext HTTP
  • Audit Automate server configuration and agent deployment templates for the transport protocol setting
  • Correlate endpoint command execution events with authenticated Automate console sessions to identify unauthorized task dispatch

Monitoring Recommendations

  • Alert on ARP cache anomalies and gratuitous ARP replies on subnets that host Automate-managed systems
  • Capture and review TLS handshake logs to confirm every agent establishes HTTPS sessions with the management server
  • Forward Automate server and agent logs to a centralized analytics platform and monitor for transport downgrade events

How to Mitigate CVE-2025-11492

Immediate Actions Required

  • Upgrade ConnectWise Automate to version 2025.9 or later to enforce HTTPS for all agent communications
  • Inventory every Automate Agent deployment and confirm the server URL uses the https:// scheme
  • Rotate any credentials, API tokens, or script secrets that may have traversed HTTP channels prior to patching
  • Segment management traffic onto dedicated VLANs to reduce exposure to adjacent-network attackers

Patch Information

ConnectWise released the fix in Automate 2025.9, which enforces HTTPS for all agent communications and updates the encryption method used for channel obfuscation. Refer to the ConnectWise Automate 2025.9 Security Bulletin for upgrade procedures and verification steps.

Workarounds

  • Reconfigure all agents and the Automate server to require HTTPS transport and disable HTTP listeners on the server
  • Deploy a valid TLS certificate on the Automate server and ensure agents validate the certificate chain
  • Restrict agent-to-server traffic with firewall rules that permit only HTTPS to the management server address
bash
# Configuration example: verify agents are using HTTPS transport
# On a managed Windows endpoint, inspect the agent server setting
reg query "HKLM\SOFTWARE\LabTech\Service" /v "Server Address"

# Expected value should begin with https://
# Example: https://automate.example.com

# Block cleartext Automate traffic at the host firewall as defense-in-depth
netsh advfirewall firewall add rule name="Block Automate HTTP" ^
  dir=out action=block protocol=TCP remoteport=80 ^
  program="C:\Windows\LTSvc\LTSVC.exe"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne