Vulnerability Details CVE-2025-11492
In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.2%
CVSS Severity
CVSS v3 Score 9.6
Products affected by CVE-2025-11492
-
cpe:2.3:a:connectwise:automate:-
-
cpe:2.3:a:connectwise:automate:2019.12
-
cpe:2.3:a:connectwise:automate:2020.0
-
cpe:2.3:a:connectwise:automate:2020.7
-
cpe:2.3:a:connectwise:automate:2020.8
-
cpe:2.3:a:connectwise:automate:2022.10
-
cpe:2.3:a:connectwise:automate:2022.11