ConnectWise Automate Solution Center Cleartext Communication Vulnerability (CVE-2026-6066)
ConnectWise Automate is vulnerable to CVE-2026-6066, a cleartext transmission of sensitive information vulnerability, where certain client-to-server communications could occur without transport-layer encryption, potentially allowing network-based interception of Solution Center traffic, and the issue is resolved in Automate 2026.4 by enforcing secure communication.
ConnectWise Automate is a remote monitoring and management (RMM) platform used by managed service providers (MSPs). CVE-2026-6066 describes a vulnerability in the ConnectWise Automate Solution Center where specific client-to-server communications may occur without transport-layer encryption. An attacker positioned on the network could intercept sensitive data transmitted in cleartext. This vulnerability was disclosed on April 20, 2026, and affects ConnectWise Automate versions prior to 2026.4. Successful exploitation allows an attacker to potentially gain access to credentials, configuration details, and other sensitive information related to the managed clients. The vulnerability has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.
Attack Chain
- Attacker gains network access to a ConnectWise Automate deployment.
- Attacker passively monitors network traffic for communications between Automate clients and the Solution Center.
- Attacker identifies vulnerable client-to-server communications occurring without transport-layer encryption.
- Attacker intercepts the cleartext network traffic using a packet capture tool such as Wireshark or tcpdump.
- Attacker analyzes the intercepted traffic to identify sensitive information such as credentials or configuration data.
- Attacker uses the acquired credentials to gain unauthorized access to managed systems or customer environments.
- Attacker leverages compromised systems for lateral movement within the network.
Impact
Successful exploitation of CVE-2026-6066 can lead to the compromise of ConnectWise Automate deployments, potentially affecting hundreds or thousands of MSP clients. An attacker could intercept credentials, configuration data, and other sensitive information, leading to unauthorized access to managed systems. This could result in data breaches, ransomware attacks, and other malicious activities targeting MSP clients. The severity is amplified by the widespread use of ConnectWise Automate among MSPs and the potential for cascading effects across their customer base.
Recommendation
- Upgrade ConnectWise Automate to version 2026.4 or later to remediate CVE-2026-6066 as per the ConnectWise security bulletin (https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin).
- Implement network segmentation and monitoring to detect and prevent unauthorized network access and traffic interception.
- Deploy the Sigma rule for unencrypted ConnectWise Automate communication to identify potentially vulnerable connections.
- Review and enforce strong password policies and multi-factor authentication for all ConnectWise Automate accounts.
Detection coverage 2
Detect Unencrypted ConnectWise Automate Communication
mediumDetects network traffic potentially related to unencrypted ConnectWise Automate Solution Center communication by looking for connections to port 443 without TLS negotiation.
Detect ConnectWise Automate Process Initiating Network Connection
mediumDetects ConnectWise Automate process making network connections which may indicate data exfiltration or command and control activity.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
1
url
| Type | Value |
|---|---|
| url | https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin |