CVE-2025-11492 - Vulnerability Details - OpenCVE

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix

History

Thu, 16 Oct 2025 19:15:00 +0000

Type	Values Removed	Values Added
Description		In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.
Title		HTTP Configuration and Encryption in Transit
Weaknesses		CWE-319
References		https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: ConnectWise

Published: 2025-10-16T18:59:35.285Z

Updated: 2025-10-17T03:55:31.431Z

Reserved: 2025-10-08T11:25:59.180Z

Link: CVE-2025-11492

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-10-16T19:15:31.900

Modified: 2025-10-16T19:15:31.900

Link: CVE-2025-11492

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-11492", "assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "state": "PUBLISHED", "assignerShortName": "ConnectWise", "dateReserved": "2025-10-08T11:25:59.180Z", "datePublished": "2025-10-16T18:59:35.285Z", "dateUpdated": "2025-10-17T03:55:31.431Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Agent"], "product": "Automate", "vendor": "ConnectWise", "versions": [{"status": "affected", "version": "All versions prior to 2025.9"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.<br><br><div><div><div>\n\n</div>\n\n</div>\n\n</div>"}], "value": "In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications."}], "impacts": [{"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Adversary in the Middle (AiTM)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "shortName": "ConnectWise", "dateUpdated": "2025-10-16T18:59:35.285Z"}, "references": [{"url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p><b>Cloud: </b>Cloud instances have already been updated to the latest\nAutomate release.   </p>\n\n\n\n\n\n<p><b>On-premise: </b>Apply the 2025.9\nrelease.</p>\n\n\n\n\n\n\n\n<br>"}], "value": "Cloud:\u00a0Cloud instances have already been updated to the latest\nAutomate release. \u00a0\u00a0\n\n\n\n\n\n\n\nOn-premise:\u00a0Apply the 2025.9\nrelease."}], "source": {"discovery": "UNKNOWN"}, "title": "HTTP Configuration and Encryption in Transit", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-16T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-11492"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-17T03:55:31.431Z"}}]}}