Connectwise

Known Exploited Connectwise Vulnerabilities

The following Connectwise vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2024-1709: ConnectWise ScreenConnect Authentication Bypass Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 3 vulnerabilities in Connectwise with an average score of 8.1 out of ten. Last year, in 2025 Connectwise had 6 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Connectwise in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.52.

Recent Connectwise Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-3564	Mar 17, 2026	ScreenConnect Server-Level Crypto Exposure Enables Privilege Escalation A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.	Screenconnect
CVE-2026-0696	Jan 16, 2026	ConnectWise PSA <2026.1: Session Cookie HttpOnly missing (XSS/Session hijack) In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.
CVE-2026-0695	Jan 16, 2026	ConnectWise PSA <=2026.0 XSS in Time Entry Audit Trail In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a users browser when the affected content is displayed.
CVE-2025-14823	Dec 18, 2025	ScreenConnect Cert Sign Ext <=1.0.11 Exposes Encrypted Config via Client In deployments using the ScreenConnect Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components.	Screenconnect
CVE-2025-14265	Dec 11, 2025	ScreenConnect <25.8 Server: Untrusted Extension Exec (CVE-2025-14265) In versions of ScreenConnect prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.	Screenconnect
CVE-2025-11493	Oct 16, 2025	ConnectWise Automate Agent MITM File Integrity Flaw The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492.	Automate
CVE-2025-11492	Oct 16, 2025	ConnectWise Automate Agent: HTTP Channel Exposes Traffic (CVE-2025-11492) In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.	Automate
CVE-2025-4876	May 19, 2025	ConnectWise Risk Assessment Hardcoded AES Key Leak (CVE-2025-4876) ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning.	Risk Assessment
CVE-2025-3935	Apr 25, 2025	ScreenConnect 25.2.3 ViewState Code Injection (RCE) ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.  It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.  The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.  This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.	Screenconnect
CVE-2024-1708	Feb 21, 2024	ConnectWise ScreenConnect 23.9.7 Path-Traversal RCE ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.	Screenconnect
CVE-2024-1709	Feb 21, 2024	ConnectWise ScreenConnect <23.9.7 Auth Bypass via Alternate Channel ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.	Screenconnect
CVE-2023-47256	Feb 01, 2024	ScreenConnect 23.8.4 Local Users Connect to Arbitrary Relay via Proxy Trust ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings	Screenconnect Automate
CVE-2023-47257	Feb 01, 2024	ConnectWise ScreenConnect <=23.8.4 RCE via MITM in Messaging ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via crafted messages.	Screenconnect Automate
CVE-2023-25718	Feb 13, 2023	ConnectWise Control <=22.9.10032 Code Signing Bypass via Post-Sign Instructions In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations.	Control Screenconnect
CVE-2023-25719	Feb 13, 2023	ConnectWise Control <22.9.10032: Reflected Param Injection via h ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations).	Control
CVE-2023-23126	Feb 01, 2023	ConnectWise Automate 2022.11 Clickjacking via Iframed Login CSP Claim Connectwise Automate 2022.11 is vulnerable to Clickjacking. The login screen can be iframed and used to manipulate users to perform unintended actions. NOTE: the vendor's position is that a Content-Security-Policy HTTP response header is present to block this attack.	Automate
CVE-2023-23127	Feb 01, 2023	ConnectWise Control 22.8: HSTS Missing on Login (Unencrypted) In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting.	Connectwise
CVE-2023-23128	Feb 01, 2023	Connectwise Control 22.8.10013.8329 CORS Issue (No Risk) Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no risk from this behavior. The vulnerability report is thus not valid.	Connectwise
CVE-2023-23130	Feb 01, 2023	ConnectWise Automate 2022.11 Cleartext Auth via HTTP (CVE-2023-23130) Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Authentication is being done via HTTP (cleartext) with SSL disabled. OTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting.	Automate
CVE-2022-36781	Sep 28, 2022	ScreenConnect 22.6 Brute-Force on Custom Access Tokens via Rate-Limiting Flaw ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom access tokens due to inadequate rate-limiting controls in the default configuration. Attackers could exploit this vulnerability to gain unauthorized access by repeatedly attempting access code combinations. ConnectWise has addressed this issue in later versions by implementing rate-limiting controls as a preventive measure against brute force attacks.	Connectwise Screenconnect
CVE-2021-35066	Jun 21, 2021	An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132. An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132.	Automate
CVE-2021-32582	Jun 17, 2021	An issue was discovered in ConnectWise Automate before 2021.5 An issue was discovered in ConnectWise Automate before 2021.5. A blind SQL injection vulnerability exists in core agent inventory communication that can enable an attacker to extract database information or administrative credentials from an instance via crafted monitor status responses.	Connectwise Automate
CVE-2020-15838	Oct 09, 2020	The Agent Update System in ConnectWise Automate before 2020.8 The Agent Update System in ConnectWise Automate before 2020.8 allows Privilege Escalation because the _LTUPDATE folder has weak permissions.	Automate
CVE-2019-16512	Jan 23, 2020	An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185 An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is stored XSS in the Appearance modifier.	Control
CVE-2019-16517	Jan 23, 2020	An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185 An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge.	Control
CVE-2019-16516	Jan 23, 2020	An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185 An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username.	Control
CVE-2019-16515	Jan 23, 2020	An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185 An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. Certain HTTP security headers are not used.	Control
CVE-2019-16514	Jan 23, 2020	An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185 An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. The server allows remote code execution. Administrative users could upload an unsigned extension ZIP file containing executable code that is subsequently executed by the server.	Control
CVE-2019-16513	Jan 23, 2020	An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185 An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. CSRF can be used to send API requests.	Control
CVE-2017-18362	Feb 05, 2019	ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.	Manageditsync