CVE-2023-25719
HIGHConnectWise Control < 22.9.10032 - Code Injection via Unvalidated h Parameter
Title source: llmDescription
ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations).
References (5)
Core 5
Core References
Exploit, Third Party Advisory
https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/
Product
https://www.connectwise.com
Various Sources
https://m.youtube.com/watch?v=fbNVUgmstSc&pp=0gcJCf0Ao7VqN5tD
Scores
CVSS v3
8.8
EPSS
0.0106
EPSS Percentile
60.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-74
Status
published
Products (1)
connectwise/control
< 22.9.10032
Published
Feb 13, 2023
Tracked Since
Feb 18, 2026