CVE-2025-14823

MEDIUM

ConnectWise ScreenConnect < 1.0.12 - Unauthenticated Sensitive Information Exposure via Certificate Signing Extension

Title source: llm

Description

In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components.

References (1)

Core 1

Core References

Vendor Advisory

https://www.connectwise.com/company/trust/security-bulletins/2025-12-18-screenconnect-certificate-signing-extension-update

Scores

CVSS v3 5.3

EPSS 0.0013

EPSS Percentile 3.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-201

Status published

Products (1)

connectwise/screenconnect < 1.0.12

Published Dec 18, 2025

Tracked Since Feb 18, 2026