{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-11493","assignerOrgId":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","state":"PUBLISHED","assignerShortName":"ConnectWise","dateReserved":"2025-10-08T11:26:01.814Z","datePublished":"2025-10-16T19:00:39.119Z","dateUpdated":"2026-02-26T16:57:24.641Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Automate","vendor":"ConnectWise","versions":[{"status":"affected","version":"All versions prior to 2025.9"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492."}],"value":"The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492."}],"impacts":[{"capecId":"CAPEC-186","descriptions":[{"lang":"en","value":"CAPEC-186 Malicious Software Update"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-494","description":"CWE-494 Download of Code Without Integrity Check","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","shortName":"ConnectWise","dateUpdated":"2025-10-16T19:00:39.119Z"},"references":[{"url":"https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p><b>Cloud:&nbsp;</b>Cloud instances have already been updated to the latest\nAutomate release. &nbsp;&nbsp;</p>\n\n\n\n\n\n<p><b>On-premise</b>: Apply the 2025.9\nrelease.</p>\n\n\n\n\n\n\n\n<br>"}],"value":"Cloud: Cloud instances have already been updated to the latest\nAutomate release.   \n\n\n\n\n\n\n\nOn-premise: Apply the 2025.9\nrelease."}],"source":{"discovery":"UNKNOWN"},"title":"Self-Update Verification Mechanism Process in ConnectWise Automate","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-11493","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-10-17T03:55:32.566730Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T16:57:24.641Z"}}]}}