CVE-2025-11492

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.

Published: Oct 16, 2025
Updated: Nov 4, 2025
CVE: CVE-2025-11492
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.6
AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWEs:

CWE-319

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
connectwise / automate	-	2025.9

https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix

Vulnerability Database

CVE-2025-11492

Deep Security Visibility Without the Complexity