https://feed.craftedsignal.io/tags/connectwise/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 21 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-connectwise-cleartext/Tue, 21 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-connectwise-cleartext/ConnectWise Automate is vulnerable to CVE-2026-6066, a cleartext transmission of sensitive information vulnerability, where certain client-to-server communications could occur without transport-layer encryption, potentially allowing network-based interception of Solution Center traffic, and the issue is resolved in Automate 2026.4 by enforcing secure communication.ConnectWise Automate is a remote monitoring and management (RMM) platform used by managed service providers (MSPs). CVE-2026-6066 describes a vulnerability in the ConnectWise Automate Solution Center where specific client-to-server communications may occur without transport-layer encryption. An attacker positioned on the network could intercept sensitive data transmitted in cleartext. This vulnerability was disclosed on April 20, 2026, and affects ConnectWise Automate versions prior to 2026.4. Successful exploitation allows an attacker to potentially gain access to credentials, configuration details, and other sensitive information related to the managed clients. The vulnerability has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.

Attack Chain

1. Attacker gains network access to a ConnectWise Automate deployment.
2. Attacker passively monitors network traffic for communications between Automate clients and the Solution Center.
3. Attacker identifies vulnerable client-to-server communications occurring without transport-layer encryption.
4. Attacker intercepts the cleartext network traffic using a packet capture tool such as Wireshark or tcpdump.
5. Attacker analyzes the intercepted traffic to identify sensitive information such as credentials or configuration data.
6. Attacker uses the acquired credentials to gain unauthorized access to managed systems or customer environments.
7. Attacker leverages compromised systems for lateral movement within the network.

Impact

Successful exploitation of CVE-2026-6066 can lead to the compromise of ConnectWise Automate deployments, potentially affecting hundreds or thousands of MSP clients. An attacker could intercept credentials, configuration data, and other sensitive information, leading to unauthorized access to managed systems. This could result in data breaches, ransomware attacks, and other malicious activities targeting MSP clients. The severity is amplified by the widespread use of ConnectWise Automate among MSPs and the potential for cascading effects across their customer base.

Recommendation

• Upgrade ConnectWise Automate to version 2026.4 or later to remediate CVE-2026-6066 as per the ConnectWise security bulletin (https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin).
• Implement network segmentation and monitoring to detect and prevent unauthorized network access and traffic interception.
• Deploy the Sigma rule for unencrypted ConnectWise Automate communication to identify potentially vulnerable connections.
• Review and enforce strong password policies and multi-factor authentication for all ConnectWise Automate accounts.

]]>mediumadvisorycve-2026-6066connectwisecleartextrmmhttps://feed.craftedsignal.io/briefs/2024-04-29-screenconnect-path-traversal/Mon, 29 Apr 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-04-29-screenconnect-path-traversal/CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect that could allow an attacker to execute remote code or directly impact confidential data and critical systems.CVE-2024-1708 is a critical path traversal vulnerability affecting ConnectWise ScreenConnect. This flaw could allow an unauthenticated attacker to execute remote code or directly access confidential data and critical systems. ConnectWise released security bulletin 23.9.8 to address this vulnerability. Given the potential for remote code execution and data compromise, this vulnerability poses a significant risk to organizations using ConnectWise ScreenConnect, potentially allowing full system takeover. CISA added this to their KEV catalog and recommends applying mitigations per vendor instructions, following BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.

Attack Chain

1. An unauthenticated attacker identifies a ConnectWise ScreenConnect server exposed to the internet.
2. The attacker crafts a malicious HTTP request containing a path traversal payload targeting a vulnerable endpoint within ScreenConnect. This payload is designed to bypass authentication checks.
3. The ScreenConnect server processes the malicious request, and the path traversal vulnerability allows the attacker to access files outside of the intended webroot directory.
4. The attacker leverages the file access to read sensitive configuration files, potentially containing credentials or other sensitive information.
5. Alternatively, the attacker uploads a malicious executable (e.g., a web shell) to a writeable directory accessible via path traversal.
6. The attacker executes the uploaded web shell, gaining remote code execution on the ScreenConnect server.
7. The attacker uses the compromised ScreenConnect server as a pivot point to move laterally within the internal network, escalating privileges and compromising additional systems.
8. The attacker exfiltrates sensitive data or deploys ransomware, disrupting business operations and causing significant financial damage.

Impact

Successful exploitation of CVE-2024-1708 can lead to complete compromise of ConnectWise ScreenConnect servers and potentially the entire network. Attackers could exfiltrate sensitive data, deploy ransomware, or use the compromised systems for lateral movement. Given the widespread use of ScreenConnect in MSP environments, a successful attack could impact numerous downstream clients, causing widespread disruption.

Recommendation

• Apply the mitigations provided by ConnectWise in security bulletin 23.9.8 to patch CVE-2024-1708.
• Deploy the Sigma rule “Detect Suspicious ScreenConnect Path Traversal Attempts” to identify potential exploitation attempts in web server logs.
• Monitor network traffic for suspicious outbound connections originating from ScreenConnect servers, as this could indicate post-exploitation activity.
• Review and harden the configuration of ConnectWise ScreenConnect servers, following security best practices to minimize the attack surface.

]]>criticaladvisorypath-traversalremote-code-executioncve-2024-1708connectwise