{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/connectwise/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-6066"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-6066","connectwise","cleartext","rmm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eConnectWise Automate is a remote monitoring and management (RMM) platform used by managed service providers (MSPs). CVE-2026-6066 describes a vulnerability in the ConnectWise Automate Solution Center where specific client-to-server communications may occur without transport-layer encryption. An attacker positioned on the network could intercept sensitive data transmitted in cleartext. This vulnerability was disclosed on April 20, 2026, and affects ConnectWise Automate versions prior to 2026.4. Successful exploitation allows an attacker to potentially gain access to credentials, configuration details, and other sensitive information related to the managed clients. The vulnerability has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to a ConnectWise Automate deployment.\u003c/li\u003e\n\u003cli\u003eAttacker passively monitors network traffic for communications between Automate clients and the Solution Center.\u003c/li\u003e\n\u003cli\u003eAttacker identifies vulnerable client-to-server communications occurring without transport-layer encryption.\u003c/li\u003e\n\u003cli\u003eAttacker intercepts the cleartext network traffic using a packet capture tool such as Wireshark or tcpdump.\u003c/li\u003e\n\u003cli\u003eAttacker analyzes the intercepted traffic to identify sensitive information such as credentials or configuration data.\u003c/li\u003e\n\u003cli\u003eAttacker uses the acquired credentials to gain unauthorized access to managed systems or customer environments.\u003c/li\u003e\n\u003cli\u003eAttacker leverages compromised systems for lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6066 can lead to the compromise of ConnectWise Automate deployments, potentially affecting hundreds or thousands of MSP clients. An attacker could intercept credentials, configuration data, and other sensitive information, leading to unauthorized access to managed systems. This could result in data breaches, ransomware attacks, and other malicious activities targeting MSP clients. The severity is amplified by the widespread use of ConnectWise Automate among MSPs and the potential for cascading effects across their customer base.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ConnectWise Automate to version 2026.4 or later to remediate CVE-2026-6066 as per the ConnectWise security bulletin (\u003ca href=\"https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin\"\u003ehttps://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and monitoring to detect and prevent unauthorized network access and traffic interception.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for unencrypted ConnectWise Automate communication to identify potentially vulnerable connections.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies and multi-factor authentication for all ConnectWise Automate accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T12:00:00Z","date_published":"2026-04-21T12:00:00Z","id":"/briefs/2026-04-connectwise-cleartext/","summary":"ConnectWise Automate is vulnerable to CVE-2026-6066, a cleartext transmission of sensitive information vulnerability, where certain client-to-server communications could occur without transport-layer encryption, potentially allowing network-based interception of Solution Center traffic, and the issue is resolved in Automate 2026.4 by enforcing secure communication.","title":"ConnectWise Automate Solution Center Cleartext Communication Vulnerability (CVE-2026-6066)","url":"https://feed.craftedsignal.io/briefs/2026-04-connectwise-cleartext/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2024-1708"}],"_cs_exploited":false,"_cs_products":["ScreenConnect"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","remote-code-execution","cve-2024-1708","connectwise"],"_cs_type":"advisory","_cs_vendors":["ConnectWise"],"content_html":"\u003cp\u003eCVE-2024-1708 is a critical path traversal vulnerability affecting ConnectWise ScreenConnect. This flaw could allow an unauthenticated attacker to execute remote code or directly access confidential data and critical systems. ConnectWise released security bulletin 23.9.8 to address this vulnerability. Given the potential for remote code execution and data compromise, this vulnerability poses a significant risk to organizations using ConnectWise ScreenConnect, potentially allowing full system takeover. CISA added this to their KEV catalog and recommends applying mitigations per vendor instructions, following BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a ConnectWise ScreenConnect server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing a path traversal payload targeting a vulnerable endpoint within ScreenConnect. This payload is designed to bypass authentication checks.\u003c/li\u003e\n\u003cli\u003eThe ScreenConnect server processes the malicious request, and the path traversal vulnerability allows the attacker to access files outside of the intended webroot directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file access to read sensitive configuration files, potentially containing credentials or other sensitive information.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uploads a malicious executable (e.g., a web shell) to a writeable directory accessible via path traversal.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the uploaded web shell, gaining remote code execution on the ScreenConnect server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised ScreenConnect server as a pivot point to move laterally within the internal network, escalating privileges and compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware, disrupting business operations and causing significant financial damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-1708 can lead to complete compromise of ConnectWise ScreenConnect servers and potentially the entire network. Attackers could exfiltrate sensitive data, deploy ransomware, or use the compromised systems for lateral movement. Given the widespread use of ScreenConnect in MSP environments, a successful attack could impact numerous downstream clients, causing widespread disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the mitigations provided by ConnectWise in security bulletin 23.9.8 to patch CVE-2024-1708.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious ScreenConnect Path Traversal Attempts\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from ScreenConnect servers, as this could indicate post-exploitation activity.\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of ConnectWise ScreenConnect servers, following security best practices to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-29-screenconnect-path-traversal/","summary":"CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect that could allow an attacker to execute remote code or directly impact confidential data and critical systems.","title":"ConnectWise ScreenConnect Path Traversal Vulnerability (CVE-2024-1708)","url":"https://feed.craftedsignal.io/briefs/2024-04-29-screenconnect-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Connectwise","version":"https://jsonfeed.org/version/1.1"}