• Location
    • Select Your Region
    • Region Name 1
    • Region Name 2
    • Region Name 3
    • Region Name 4
    • Region Name 5
Get a Free Trial
menu
keyboard_arrow_left
Got It!

The website uses cookies. Cookies allow us to give you the best browsing experience possible and mean that we can understand how you use our site. By continuing to use this website, you are giving consent to cookies being used. For more information, please see our privacy policy. Privacy Policy

Overview

ConnectWise uses various methods to communicate security vulnerability information to customers. A Security Bulletin is used when publicly disclosing security vulnerabilities discovered in ConnectWise offerings.

Alternative tools and processes are used, where appropriate, when targeted or discrete communication with entitled customers is required. To protect our customers, ConnectWise does not publicly disclose or confirm security vulnerabilities until ConnectWise has conducted an analysis of the product and has issued fixes and/or mitigations.

Security Bulletins notify customers about one or more vulnerabilities. These bulletins provide guidance to assist customers in assessing the impact of any actual or potential security vulnerability in the context of their environment.

ConnectWise Platform Security

The ConnectWise platform is an integral part of your operations and is a gateway to your clients’ sensitive business-critical data. Increasing our security measures and reducing vulnerabilities across the platform is a top priority for our entire organization to gain your confidence as your trusted vendor.

ConnectWise Bug Bounty Program

ConnectWise has launched a bug bounty program to supplement its own internal vulnerability management strategy boosting efforts to quickly identify and remediate bugs and security vulnerabilities in its software. Third party researchers and other security entities can report potential security vulnerabilities here.

The Security of the ConnectWise Platform

Your confidence in our ability to test and maintain a secure platform is essential to our partnership with you.

View our Product Security Updates >>

ConnectWise Security Vulnerability Management (CIRT)

ConnectWise Incident Response Team (CIRT) Overview

The ConnectWise Incident Response Team (CIRT) is a global team that manages the receipt, investigation, and internal coordination of security vulnerability information related to ConnectWise offerings. ConnectWise CIRT is a focal point for security researchers, industry groups, government organizations, and vendors to report potential ConnectWise vulnerabilities. This team will coordinate with ConnectWise product and solutions teams to investigate, and if needed, identify the appropriate response plan. Customers of ConnectWise offerings should continue to report all product-related issues, including potential security vulnerabilities, to ConnectWise Security. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.

ConnectWise Incident Response Team Process

When ConnectWise CIRT receives a report of a potential vulnerability from a third party, ConnectWise CIRT logs the issue with the supporting details and provides the tracking number to the vulnerability reporter. ConnectWise CIRT notifies the appropriate ConnectWise product teams of the potential vulnerability for analysis.

The appropriate product team attempts to reproduce the issue to verify whether it is a vulnerability.

After the initial analysis, the vulnerability undergoes further investigation by the product team to determine the underlying cause and possible methods of exploitation. The team completes the remediation plan for the vulnerability, taking into consideration the affected versions.

In some cases, ConnectWise CIRT may request additional information from the vulnerability reporter to understand the environment in which the vulnerability appears, ways to reproduce the issue, potential exploitation methods, etc.

Once the remediation is available, ConnectWise intends to notify the affected customers about the vulnerability through the use of either targeted communications or by issuing a public Security Bulletin. When ConnectWise discloses the vulnerability publicly, the Bulletin will include details such as the Common Vulnerability Scoring System (CVSS) base score and vector, a reference to the assigned Common Vulnerabilities and Exposures (CVE) identifier, remediation for the affected offering(s), and other relevant links that may cover additional information.

The last stage in ConnectWise CIRT process allows for ConnectWise CIRT to share findings with our Engineering team(s) to help minimize similar vulnerabilities in future ConnectWise offerings.

Report Security Vulnerabilities

A security vulnerability is a set of conditions in the design, implementation, operation, or management of a product or service. Vulnerabilities render the product or service unable to prevent an attack by an internal or external party, resulting in exploitations such as controlling or disrupting operation, compromising (such as deleting, altering or extracting) data, or assuming ungranted trust or identity.

Customers and other entitled users of a product or solution should report issues discovered in ConnectWise offerings to ConnectWise Security. If the ConnectWise Technical Support Team determines that a reported issue is a security vulnerability, it will contact the appropriate Security and/or System Integrity groups and inform ConnectWise PSIRT, as needed. These ConnectWise teams will collaborate as required to address the issue.

Third party researchers and other security entities, if you find a potential security vulnerability in ConnectWise assets, products and services, you to report this to ConnectWise Security.

Q: What is a vulnerability disclosure program?
A:
A vulnerability disclosure program (VDP) offers guidance for how an organization would like to be notified about potential security vulnerabilities found by external third parties and how vulnerabilities are disclosed. Often called the “see something, say something" of the Internet, this public-facing program is an industry best practice. The VDP outlines how external third parties can report potential security vulnerabilities to ConnectWise so they can be safely resolved.

Q: What is ConnectWise doing to enhance its VDP?
A:
ConnectWise is continually enhancing its VDP. Later in 2020, ConnectWise will add a managed vulnerability disclosure program that connects organizations with independent cybersecurity researchers. This enhancement to the program will provide ConnectWise with an external resource to provide an initial triage to issues identified by third parties.

Industry and Regulation Compliance

ConnectWise is routinely and thoroughly audited by independent third-party organizations and government agencies to ensure our products and practices comply with global and regional regulations and standards.

We Are Proud to Be SOC 2 Type 2 Certified

As a reflection of our commitment to cybersecurity, ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners.

The intent of the SOC 2 audit is to assess and address the risks associated with using an outsourced service like ConnectWise, allowing you, our users, to have trust and confidence in us and manage the risk associated with our products. The reports provide assurance of the design and operating effectiveness of our control environment as they are the result of comprehensive, independent audits.

The ConnectWise SOC 2 Type 2 reports cover the Security, Availability, and Confidentiality principles of the AICPA Trust Services Criteria (TSC) for ConnectWise Manage®, ConnectWise Automate®, ConnectWise Sell®, and ConnectWise Control®. The ConnectWise SOC 2 Type 2 reports cover the Security, Privacy, and Confidentiality principles of the AICPA Trust Services Criteria (TSC) for Continuum Command®, Continuum Fortify®, Continuum Recover®, Continuum Assist®, Continuum Enable®, and BrightGauge®.

Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.

Availability: Information and systems are available for operation and use to meet the entity’s objectives.

Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.

Privacy: Information designated as confidential is protected to meet the entity’s objectives.

To request a copy of our SOC2, send email to infosec@connectwise.com. Please indicate the relevant product(s) in your request.

Privacy Protection

You trust us with your data, and we’re committed to keeping it safe. ConnectWise adheres to strict industry privacy standards and complies with new privacy standards and mandates as they progress. We strive to be as transparent as possible with our data collection and usage practices, with a goal of providing best-in-class products, services, and web experiences for users. We understand that individual rights, requirements and policies vary significantly across the globe, as well as for various users and audience members.

ConnectWise Privacy Policy >>

Continuum Privacy Policy >>

BrightGauge Privacy Policy >>

ITBoost Privacy Policy >>

June 22, 2020 - Update on the ConnectWise Automate API Vulnerability Email Communication from June 22, 2020

The security of our partners is of paramount importance to ConnectWise, and consistent with the terms of our EULA, we always are looking for anomalies on how our products are working to not only improve functionality but also assess for potential malicious activity. Following the Automate vulnerability identified and hotfix implemented last week, ConnectWise was working with a few partners and identified some non-functioning agents on their Automate servers. Non-functioning agents are usually benign but we thought it best to assess the full scope of the issue and inform impacted partners so they could take action as they see fit.

June 22, 2020 – Update on the ConnectWise Manage Customer and Admin Portals:

We have issued security bulletins on the ConnectWise Manage Customer and Admin portals. Please review the security bulletin tab.

June 21, 2020

Dear Partners,
Trusted advisors in our community have responsibly disclosed a potential issue involving the Manage Customer and Admin Portals. Out of an abundance of caution, we have placed both portals under maintenance while we address these reports and will follow with a Security Bulletin.

Regarding the current impact to our partners, please note that the Customer Portal is still accessible to those using an external validation application such as Google or Microsoft login. We anticipate an update by mid-day, Eastern time, on Monday, June 22.

Thank you,
Tom Greco
Information Security Director

May 15, 2020: Security Updates for ConnectWise Control and ConnectWise Automate

ConnectWise Control

Earlier today, we identified a potential Phishing Scam using what appears to be a ScreenConnect URL via a website spoofing technique. Here is a sample of the Scam email used:

screenshot

If you received this or a similar email, do not click on any links in the email and delete the email immediately. We have already reported the malicious activity to the authorities.

If you have opened the email or accessed the malicious link provided, we recommend changing the credentials of any account you used or provided to the malicious site.

As always, we recommend carefully checking any URL for slight spelling errors, at this typically indicates a phishing activity. Additionally, ConnectWise will never proactively email you to initiate a password change or confirm an MFA enablement.

Thank you,

The ConnectWise Team

ConnectWise Automate

Earlier this afternoon our team was alerted of two attempted intrusions into on-prem Automate accounts via partner Admin Accounts. The accounts were not using MFA.

We strongly encourage you to update your Automate system to version 2020.1 or higher immediately. This update applies MFA to all accounts and also forces a complex password on this account. Documentation for this update is linked here and multi-factor authentication (MFA) enablement information regarding the update is below for reference. Please note that to take advantage of the complex password requirement, you will be required to change the password for all accounts after applying the update.

While Automate 2020.4 provides the latest security enhancements, if you need time to install a 2020.1 or higher update, we recommend immediate steps to assign the Admin permissions to another user who has MFA enabled and then delete the Admin account. If you need assistance in updating or reassigning admin privileges, please contact support.

Thank you,

The Automate Team

Multi-Factor Authentication Details:

Multi-Factor authentication (MFA) is enabled by default in versions 2020.1 and higher for users logging in with local credentials. Before upgrading to version 2020.1 or later, email settings must be configured and each user must have a unique and valid email address entered in their user profile. For more information, refer to Multi-Factor Authentication for Automate.

To prepare for this change:

- Configure Email Settings for your system. If you have not previously configured these settings because you are concerned about receiving too many notifications or are using a PSA integration, please refer to Control Ticket Messages for information on silencing notifications by turning off ticket messaging.

- Navigate to System > Users and Contacts > Users and ensure that all users in your system have a unique and valid email address entered in their user profile.

February 5, 2020: ConnectWise Control's Cloud Password Reset / MFA Risk has been Mitigated

On February 4, 2020, Huntress Labs contacted our ConnectWise Control team with a potential risk involving password resets and multi-factor authentication (MFA). Within two hours, our team mitigated the issue.

This configuration was limited to the cloud.screenconnect.com logon, which is solely for admin accounts and would require the attacker to have access to the email of the partner’s admin user. In this specific case, the password reset process sends a password reset link via email to the ConnectWise Control admin user email address on record. After completing the password reset, the user was subsequently logged in. The concern was that an attacker with access to the user’s email could have potentially leveraged the password reset functionality to gain access without the MFA challenge.

Password resets now require re-authentication, including MFA, if configured, which mitigates this potential risk.

We have verified our mitigation and have asked Huntress Labs to verify as well.

For further questions or concerns, please contact Security@ConnectWise.com.

January 24, 2020: An Open Letter From Jason Magee Regarding The Bishop Fox Report Findings

Earlier this week, a story was published about potential security vulnerabilities with ConnectWise Control. In the spirit of transparency, I wanted to provide an update on this story and outline what has been done and what our ongoing efforts are to ensure the security of our products, your business and your customers.

In late September, ConnectWise received notification from an organization that operates as a consultant in the security space, stating they had identified eight potential vulnerabilities in ConnectWise Control. While our product and security teams felt that many of these potential vulnerabilities presented a low risk of actual attack to our partners, we take security extremely seriously and investigated, resolving six of the areas of concern by Oct 2, 2019.

While the threat landscape is ever changing, we seek to constantly and proactively manage security efforts not only through the updating of our products, but through the education of our team and collaboration with third-party security experts.

As security is of critical importance to us, here are some of things we have been doing and where we are today:

• ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners. We regularly conduct penetration tests performed by both internal and external resource and have implemented ethical hacker training, OWASP processes, and consistently run vulnerability assessments on our systems and products.

• We have implemented tools that automatically evaluate behavior to reduce misuse of our products, started implementing machine learning to detect anomalies in logins, and we are about to launch a bug bounty program, as well as started the rollout of MFA and SSO across the platform.

• In Q4 of 2019, we also invested in a comprehensive developer security training curriculum to increase the security skills of our teams and assure that our developers are training on the most recent and relevant application security coding practices.

• On January 21, 2020 we launched the ConnectWise Security Trust site, which will be a primary source of information on security incidents, relevant alerts and of course critical patches and product updates.

• We hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company, to further validate our patches and confirm that the vulnerabilities were mitigated. We have published a matrix outlining each potential vulnerability with the perspectives from Bishop Fox, Huntress Labs and GuidePoint Security, LLC, along with our stance on the issue and any action being taken.

• One of the remaining two suggested areas of remediation is Cross-site Scripting (XSS) which is the potential for abuse of the Control Administrator role’s ability to customize the application. This customization ability is a key feature of Control that many partners value. This issue is considered a low actual risk, but we will be removing the option from our trial offering.

• The final identified issue is related to Security Headers. The strongest defense involves layers of security. Security Headers represent one option for implementing certain layers. In the absence of Security Headers, ConnectWise does implement security layers addressing the types of threats reported in the consultant’s assessment.

As we continue to investigate potential vulnerabilities and implement mitigation plans, we will be posting updates to our Security Trust site. I encourage you to check this site for the latest information, as well as future updates from our work with GuidePoint Security, LLC.

In our conversations with Huntress Labs to compare our findings and their results, Kyle Hanslovan, CEO of Huntress Labs has this to share:

“Bugs happen. And it’s not about when bugs happen, but it’s about what you do when they happen. We were happy to work with CRN earlier this week to confirm that ConnectWise had already patched 6 of the 8 items found. I think three things matter in this scenario: Were the bugs acknowledged, were the bugs fixed and was the company passionate about fixing them for the right reasons? I think ConnectWise came through on all three things, and after our positive conversation on January 23, we’re excited about continuing to work with ConnectWise and other vendors for the benefit of the channel as a whole.”

I want to assure our community that we understand the trust you place in our products and people. We take that trust seriously. You have our unrelenting commitment to security and transparency, and we appreciate your questions and feedback to our continuous improvement.

January 23, 2020: Updated Statement Regarding The Bishop Fox Report Findings

ConnectWise takes cybersecurity seriously and we realize that rumored and confirmed security incidents create stress and concern for our partners. Our partners and vendors can use Security@ConnectWise.com to report suspected security incidents related to our products or to inquire about a potential security incident that is associated with a ConnectWise product.

As a reflection of our commitment to cybersecurity, ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners. ConnectWise regularly conducts penetration tests performed by both internal and external resources. We have implemented ethical hacker training, OWASP processes, and consistently run vulnerability assessments on our systems and products. In addition, we have implemented tools that automatically evaluate behavior to reduce misuse of our products, started implementing machine learning to detect anomalies in logins, are about to launch a bug bounty program, as well as started the rollout of MFA and SSO across the platform.

Immediately after CRN published articles on January 21, 2020, about the potential vulnerabilities in ConnectWise Control, we immediately reached out to Huntress Labs to discuss their analysis and recommendations. Our conversation with Huntress Labs was collaborative and constructive, and they were receptive of our context regarding the reported issues.

We have also hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company to assess the findings from Bishop Fox and Huntress Labs as well as run their own independent vulnerability assessment. We look forward to sharing more information with you as we have it.

We believe that mitigating cybersecurity threats starts with understanding them. Please review the following FAQ about the security of ConnectWise Control in relation to the findings from Bishop Fox and Huntress Labs.

January 22, 2020: Original Statement Regarding The Bishop Fox Report Findings

In late September, ConnectWise received notification from a company known as Bishop Fox, an organization that operates as a consultant in the security space, stating they had identified vulnerabilities in ConnectWise Control. We had several conversations with Bishop Fox and asked for further information to assist in replicating their findings and thus facilitate any necessary improvements to our product.

Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual. In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities.

ConnectWise takes the security of our products and our partners very seriously. We appreciated the insights and based on their report, we did our own internal research and evaluation and addressed the points they raised in their review. With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019.

On January 21, 2020, ConnectWise again ran our own tests on 6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure. Within the next two weeks we will resolve a seventh item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.

ConnectWise looks at security as a dynamic threat and will continue to work to optimize security for our partners and community. We encourage partners and colleagues to contact us at security@connectwise.com with any questions or to report any issues.

FAQs

keyboard_arrow_down What sort of security do you have implemented to protect your customers and prevent these things from happening?

ConnectWise products are subject to multiple layers of security from design through testing and into operations. Products designs are aligned with security best-practices and undergo security testing prior to release and regularly in production. In addition, ConnectWise developers complete security training on an annual basis at a minimum.

Six of the eight issues outlined in the report from Bishop Fox have been remediated and they were remediated as of October 2, 2019. Partners should always update their applications to stay current with new security patches and features.

In addition, Control supports multi-factor authentication on all internal users, and offers the ability to restrict or whitelist IPs, and further restrict access using user roles and permissions. Cloud instances are automatically secured with an SSL certificate and enabled with an HTTP-to-HTTPS redirect. In addition, Control admins have the option to enable ‘prompt for consent,’ which requires an end user to consent to connection.

View ConnectWise Control Security Guide >>

keyboard_arrow_down What are you doing as a company to improve communication about security issues?

ConnectWise products are subject to multiple layers of security from design through testing and into operations. Products designs are aligned with security best-practices and undergo security testing prior to release and regularly in production. In addition, ConnectWise developers complete security training on an annual basis at a minimum.

Six of the eight issues outlined in the report from Bishop Fox have been remediated and they were remediated as of October 2, 2019. Partners should always update their applications to stay current with new security patches and features.

In addition, Control supports multi-factor authentication on all internal users, and offers the ability to restrict or whitelist IPs, and further restrict access using user roles and permissions. Cloud instances are automatically secured with an SSL certificate and enabled with an HTTP-to-HTTPS redirect. In addition, Control admins have the option to enable ‘prompt for consent,’ which requires an end user to consent to connection.

View ConnectWise Control Security Guide >>

keyboard_arrow_down Does ConnectWise take security seriously?

ConnectWise is continually improving security communications. Most notably, ConnectWise has achieved SOC-2 Type 2 certification.

For this specific instance, we have hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company to assess the findings from Bishop Fox and Huntress Labs, as well as run their own independent vulnerability assessment.

Further information regarding the security of ConnectWise products may also be obtained here:

Learn More About ConnectWise Product Security >>

keyboard_arrow_down Are you going back and fixing older versions of the product?

ConnectWise takes security very seriously. ConnectWise looks at security as a dynamic threat and will continue to work to optimize security for our partners and community. ConnectWise regularly conducts penetration tests that are performed by both internal and external ethical hackers and we run vulnerability assessments on our systems and products on a consistent basis.

We encourage partners and colleagues to contact us at security@connectwise.com with any questions or to report any issues.

Learn More About ConnectWise Product Security >>

keyboard_arrow_down What is the status of addressing the items identified?

Control Cloud partners are automatically updated to the latest stable version of Control. We recommend that on-premises instances remain up to date on support and maintenance.

Six of the eight issues outlined in the report from Bishop Fox have been remediated and they were remediated as of October 2, 2019.

On-premises partners can learn more about upgrading here:
Upgrade an On-Premises Installation of ConnectWise Control >>

Cloud partners can learn more here:
Upgrade A Cloud Instance of ConnectWise Control >>

keyboard_arrow_down If it’s low risk, why did you fix it?

ConnectWise previously remediated most of the items suggested by Bishop Fox. Within the next two weeks we will resolve one item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.

keyboard_arrow_down Does this theoretical vulnerability affect just cloud instances, on-premises installations, or both?

The ConnectWise Control team investigates all potential security threats, regardless of severity. Issues that are low in priority sometimes are also low in effort to remediate and, in those cases, we may quickly release a fix.

Partner Support