ConnectWise Flaws Let Attackers Deliver Malicious Software Updates

ConnectWise has issued a critical security update for its Automate™ platform after uncovering vulnerabilities that could allow attackers to intercept and tamper with software updates.

The flaws, present in on-premises installations configured to use unsecured communication channels, put organizations at risk of deploying malicious code under the guise of routine patches.

ConnectWise Automate 2025.9, released on October 16, 2025, addresses these weaknesses by enforcing HTTPS for all agent communications.

Unsecured Channels Expose Critical Communications

In some deployments of ConnectWise Automate, agents were permitted to communicate with the server over plain HTTP or rely on weaker encryption settings.

This configuration exposed sensitive traffic to network-based adversaries who could both read and alter data in transit.

By exploiting the flaws, attackers can inject malicious payloads into the update process, causing compromised agents to install unauthorised software that appears legitimate.

The risk is particularly high for environments where on-premise servers are not ...