CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2023-25719

ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations).

Exploit prediction scoring system (EPSS) score

EPSS Score 0.002

EPSS Ranking 45.9%

CVSS Severity

CVSS v3 Score 8.8

References

https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/
https://m.youtube.com/watch?v=fbNVUgmstSc&pp=0gcJCf0Ao7VqN5tD
https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures
https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/
https://www.connectwise.com
https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures
https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity

Products affected by CVE-2023-25719

Connectwise » Control » Version: 19.3.25270.7185

cpe:2.3:a:connectwise:control:19.3.25270.7185

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2023-25719

Products

Pricing

Contact Us