CVE-2025-11492

CRITICAL

ConnectWise Automate < 2025.9 - Cleartext Transmission of Sensitive Information via HTTP

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-11492. PoCs published by synap5e.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2025-11492, demonstrating an Adversary-in-the-Middle (AiTM) attack against ConnectWise Automate RMM agents. The exploit leverages insufficient protocol security and validation flaws to achieve remote code execution (RCE) as SYSTEM by coercing the agent into downloading and executing a malicious plugin.

Description

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.

Exploits (1)

nomisec WORKING POC 1 stars

by synap5e · poc

https://github.com/synap5e/connectwise-automate-AiTM-rce

View Code ZIP pw:eip

This repository contains a proof-of-concept for CVE-2025-11492, demonstrating an Adversary-in-the-Middle (AiTM) attack against ConnectWise Automate RMM agents. The exploit leverages insufficient protocol security and validation flaws to achieve remote code execution (RCE) as SYSTEM by coercing the agent into downloading and executing a malicious plugin.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ConnectWise Automate (version 250.252 and prior)

No auth needed

Prerequisites: Network-level AiTM position or physical access to the target device · ConnectWise Automate agent configured to use HTTP transport (primary or fallback)

MITRE ATT&CK

T1557 - Adversary-in-the-Middle T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix

Scores

CVSS v3 9.6

EPSS 0.0019

EPSS Percentile 9.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-319

Status published

Products (1)

connectwise/automate < 2025.9

Published Oct 16, 2025

Tracked Since Feb 18, 2026