CVE-2023-25718

CRITICAL

ConnectWise Control < 22.9.10032 - Improper Verification of Cryptographic Signature

Title source: llm

Description

In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations.

References (5)

Core 5

Core References

Various Sources

https://m.youtube.com/watch?v=fbNVUgmstSc&pp=0gcJCf0Ao7VqN5tD

Not Applicable

https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/

Product

https://www.connectwise.com

Various Sources

https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures

Various Sources

https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity

Scores

CVSS v3 9.8

EPSS 0.0069

EPSS Percentile 47.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-347

Status published

Products (1)

connectwise/control < 22.9.10032

Published Feb 13, 2023

Tracked Since Feb 18, 2026