A partnership built on trust and confidence

Our experts are dedicated to providing 24/7/365 security for the ConnectWise platform

March 4, 2021: Important Microsoft Exchange Server vulnerability Patches Available

Microsoft has released critical patches for Microsoft Exchange Server zero-day vulnerabilities that are being exploited by a nation-state affiliated group. The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019. If you’re hosting an Exchange server, we recommend applying patches immediately for CVE-2021-26855CVE-2021-26857CVE-2021-26858 & CVE-2021-27065.

Background on this vulnerability and more detailed information on can be found on our Perch blog: Perch bulletin: Critical zero-day Microsoft Exchange vulnerability observed in the wild.

February 19, 2021: ConnectWise SOC PSA: Fortinet FortiOS Vulnerability

Active exploits connected to a critical vulnerability present in Fortinet's operating system, FortiOS, have been observed by the ConnectWise SOC. ConnectWise is issuing this Public Service Announcement encouraging all Partners and their clients to review any FortiGate Firewalls they may be using to ensure they are fully patched against CVE-2018-13379. This vulnerability can be exploited to allow an unauthenticated attacker to obtain the contents of FortiOS system files through a specifically crafted HTTP request.

Attackers are leveraging this to access the /dev/cmdb/sslvpn_websession file resulting in exposure of plaintext credentials for any logged in SSL VPN users. In combination with the common usage of ADsync and credential re-use, exploitation of this presents a serious risk of domain credential compromise, email compromise, as well as at minimum a direct path into a clients’ network via the SSL VPN.

In addition to patching, ConnectWise recommends full domain and email credential resets for any potentially affected client domains.

ConnectWise is actively reaching out to our partners that may be impacted by a recent exploitation of a Fortinet vulnerability. This is not related in any way to ConnectWise products or services.




February 11, 2021 - ConnectWise Control & Iranian hacker activity

ConnectWise Control has not been hacked or compromised in any way. An Iranian hacker group, disguising their origin by routing through US/UK/EU IP addresses, obtained instances of ConnectWise Control (formerly ScreenConnect) and used it along with trojan files containing the agent installer to compromise other organizations. Two prominent security research firms have reported this to us independently and we corroborated their findings.

The hacker group compromised the victim organizations using email phishing campaigns resulting in the installation of the ConnectWise Control agent. Subsequently, they used Control's intended functionality to execute commands on the victim’s systems.

ConnectWise takes the abuse of its products and services seriously. While we strive to follow industry best practices, detecting all instances of abuse is a continuing challenge for all in our industry.

December 15, 2020: Security Advisory - SolarWinds & FireEye

As you’ve likely seen reported, SolarWinds discovered a supply chain attack compromising their Orion business software updates that distributed malware known as SUNBURST. The malware permits an attacker to gain access to network traffic management systems, and the attacker can leverage this to gain elevated credentials. This compromise was used to target the cybersecurity firm FireEye, as well as multiple U.S. government agencies. For more information on the details of the breach, please see the advisory from the Cybersecurity & Infrastructure Security Agency.

ConnectWise Actions for our Product Security

ConnectWise does not use any SolarWinds or FireEye products internally. However, we are following the developments of this news closely and ensuring that we validate our processes and environment as new information becomes publicly available.

The security of our products, our partners, and our partner data is of critical importance, and while we have no evidence to suggest that any of our systems are involved or impacted, below are the following actions we are proactively taking while this cyber event unfolds:

• Our Security Operations Center (SOC) will continue to carefully monitor the situation. Regarding the SUNBURST malware, the SOC has taken actions to blacklist the known IOCs related to the compromised files globally on our SentinelOne consoles.

• Although ConnectWise is not affected by this event, we are considering the impacts to develop our own lessons learned and use it as an opportunity to seek improvements in our processes and controls.

Recommendations for Partners

If your organization utilizes SolarWinds, be sure to stay current on the recommendations and hotfixes from SolarWinds directly. Review their Security Advisory page for updated information fixes.

As always, if you ever see anything that you suspect may be malicious or fraudulent activity within our products, please report them immediately to our InfoSec team at security@connectwise.com.

Additional Resources

• Department of Homeland Security Emergency Directive

• Threat Research from FireEye on Sunburst malware

• Microsoft Security Response Center blog

We will continue to provide updates and information as necessary, and we encourage you to visit and bookmark our Security Trust page for ongoing updates and information as it relates to ConnectWise security.

Thank you,
The ConnectWise InfoSec Team

October 31, 2020 - ConnectWise Security: Public Service Announcement

In light of the upcoming elections and recent cyber-attacks on health care systems, there have been reported increases in cyber-attacks on MSPs with attackers seeking to obtain MSP credentials to ConnectWise and competitive products by exploiting weaknesses in MSP’s security protocols and infrastructures.

We are aware of active threats using attack methods to compromise credentials and, as always, the safety and security of our partners is of the highest priority. We are issuing this public service announcement to encourage our partners, and all MSPs in our industry, to review their systems for the following to best ensure the security of their data and the data of their end customers:

General Security Best Practices

• Review the running processes on all Domain Controllers to ensure that no unexpected processes are running. Attackers are using PowerShell scripts on Domain Controllers with the flag "--hidden" in order to avoid detection by the MSP.

• Enable two-factor authentication (2FA/MFA) on all accounts to include email accounts.

• Check for the presence of the tools Cobalt Strike and Mimikatz. These tools are being utilized by ransomware actors to harvest credentials and gain a persistence on a network.

• If unusual PowerShell activity has been observed or unexpected tools installed, it is critical that all user passwords are reset after the successful removal of the tools.

• If possible, block all traffic to pastebin.com as it is a known site for malware.

Select Security Best Practices & Tips for ConnectWise Products

• In addition to MFA, we recommend restricting access to admin pages by IP, employing complex passwords and changing them regularly, and conducting regular account audits.

• Block access to RDP and similar remote access services from the Internet.

• For our ConnectWise Control partners, regularly audit the Toolbox directory to ensure there are no unexpected files within "C:\Program Files (x86)\ScreenConnect\App_Data\Toolbox".

For more tips and specific guidance on Security practices for MSPs, please visit the Security Journey on the ConnectWise University

We strongly encourage our partners and all MSP’s to review their security measures and implement the suggestions above. We also suggest that you regularly visit our Trust Site for more information and the latest updates to regularly stay current on the latest MSP security information.

Thank you for your time and attention to this important matter.

Stay safe,
ConnectWise InfoSec Team

June 22, 2020 - Update on the ConnectWise Automate API Vulnerability Email Communication from June 22, 2020

The security of our partners is of paramount importance to ConnectWise, and consistent with the terms of our EULA, we always are looking for anomalies on how our products are working to not only improve functionality but also assess for potential malicious activity. Following the Automate vulnerability identified and hotfix implemented last week, ConnectWise was working with a few partners and identified some non-functioning agents on their Automate servers. Non-functioning agents are usually benign but we thought it best to assess the full scope of the issue and inform impacted partners so they could take action as they see fit.

June 22, 2020 – Update on the ConnectWise Manage Customer and Admin Portals:

We have issued security bulletins on the ConnectWise Manage Customer and Admin portals. Please review the security bulletin tab.

June 21, 2020

Dear Partners,
Trusted advisors in our community have responsibly disclosed a potential issue involving the Manage Customer and Admin Portals. Out of an abundance of caution, we have placed both portals under maintenance while we address these reports and will follow with a Security Bulletin.

Regarding the current impact to our partners, please note that the Customer Portal is still accessible to those using an external validation application such as Google or Microsoft login. We anticipate an update by mid-day, Eastern time, on Monday, June 22.

Thank you,
Tom Greco
Information Security Director

May 15, 2020: Security Updates for ConnectWise Control and ConnectWise Automate

ConnectWise Control

Earlier today, we identified a potential Phishing Scam using what appears to be a ScreenConnect URL via a website spoofing technique.

If you received this or a similar email, do not click on any links in the email and delete the email immediately. We have already reported the malicious activity to the authorities.

If you have opened the email or accessed the malicious link provided, we recommend changing the credentials of any account you used or provided to the malicious site.

As always, we recommend carefully checking any URL for slight spelling errors, at this typically indicates a phishing activity. Additionally, ConnectWise will never proactively email you to initiate a password change or confirm an MFA enablement.

Thank you,

The ConnectWise Team

ConnectWise Automate

Earlier this afternoon our team was alerted of two attempted intrusions into on-prem Automate accounts via partner Admin Accounts. The accounts were not using MFA.

We strongly encourage you to update your Automate system to version 2020.1 or higher immediately. This update applies MFA to all accounts and also forces a complex password on this account. Documentation for this update is linked here and multi-factor authentication (MFA) enablement information regarding the update is below for reference. Please note that to take advantage of the complex password requirement, you will be required to change the password for all accounts after applying the update.

While Automate 2020.4 provides the latest security enhancements, if you need time to install a 2020.1 or higher update, we recommend immediate steps to assign the Admin permissions to another user who has MFA enabled and then delete the Admin account. If you need assistance in updating or reassigning admin privileges, please contact support.

Thank you,

The Automate Team

Multi-Factor Authentication Details:

Multi-Factor authentication (MFA) is enabled by default in versions 2020.1 and higher for users logging in with local credentials. Before upgrading to version 2020.1 or later, email settings must be configured and each user must have a unique and valid email address entered in their user profile. For more information, refer to Multi-Factor Authentication for Automate.

To prepare for this change:

- Configure Email Settings for your system. If you have not previously configured these settings because you are concerned about receiving too many notifications or are using a PSA integration, please refer to Control Ticket Messages for information on silencing notifications by turning off ticket messaging.

- Navigate to System > Users and Contacts > Users and ensure that all users in your system have a unique and valid email address entered in their user profile.

February 5, 2020: ConnectWise Control's Cloud Password Reset / MFA Risk has been Mitigated

On February 4, 2020, Huntress Labs contacted our ConnectWise Control team with a potential risk involving password resets and multi-factor authentication (MFA). Within two hours, our team mitigated the issue.

This configuration was limited to the cloud.screenconnect.com logon, which is solely for admin accounts and would require the attacker to have access to the email of the partner’s admin user. In this specific case, the password reset process sends a password reset link via email to the ConnectWise Control admin user email address on record. After completing the password reset, the user was subsequently logged in. The concern was that an attacker with access to the user’s email could have potentially leveraged the password reset functionality to gain access without the MFA challenge.

Password resets now require re-authentication, including MFA, if configured, which mitigates this potential risk.

We have verified our mitigation and have asked Huntress Labs to verify as well.

For further questions or concerns, please contact Security@ConnectWise.com.

January 24, 2020: An Open Letter From Jason Magee Regarding The Bishop Fox Report Findings

Earlier this week, a story was published about potential security vulnerabilities with ConnectWise Control. In the spirit of transparency, I wanted to provide an update on this story and outline what has been done and what our ongoing efforts are to ensure the security of our products, your business and your customers.

In late September, ConnectWise received notification from an organization that operates as a consultant in the security space, stating they had identified eight potential vulnerabilities in ConnectWise Control. While our product and security teams felt that many of these potential vulnerabilities presented a low risk of actual attack to our partners, we take security extremely seriously and investigated, resolving six of the areas of concern by Oct 2, 2019.

While the threat landscape is ever changing, we seek to constantly and proactively manage security efforts not only through the updating of our products, but through the education of our team and collaboration with third-party security experts.

As security is of critical importance to us, here are some of things we have been doing and where we are today:

• ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners. We regularly conduct penetration tests performed by both internal and external resource and have implemented ethical hacker training, OWASP processes, and consistently run vulnerability assessments on our systems and products.

• We have implemented tools that automatically evaluate behavior to reduce misuse of our products, started implementing machine learning to detect anomalies in logins, and we are about to launch a bug bounty program, as well as started the rollout of MFA and SSO across the platform.

• In Q4 of 2019, we also invested in a comprehensive developer security training curriculum to increase the security skills of our teams and assure that our developers are training on the most recent and relevant application security coding practices.

• On January 21, 2020 we launched the ConnectWise Security Trust site, which will be a primary source of information on security incidents, relevant alerts and of course critical patches and product updates.

• We hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company, to further validate our patches and confirm that the vulnerabilities were mitigated. We have published a matrix outlining each potential vulnerability with the perspectives from Bishop Fox, Huntress Labs and GuidePoint Security, LLC, along with our stance on the issue and any action being taken.

• One of the remaining two suggested areas of remediation is Cross-site Scripting (XSS) which is the potential for abuse of the Control Administrator role’s ability to customize the application. This customization ability is a key feature of Control that many partners value. This issue is considered a low actual risk, but we will be removing the option from our trial offering.

• The final identified issue is related to Security Headers. The strongest defense involves layers of security. Security Headers represent one option for implementing certain layers. In the absence of Security Headers, ConnectWise does implement security layers addressing the types of threats reported in the consultant’s assessment.

As we continue to investigate potential vulnerabilities and implement mitigation plans, we will be posting updates to our Security Trust site. I encourage you to check this site for the latest information, as well as future updates from our work with GuidePoint Security, LLC.

In our conversations with Huntress Labs to compare our findings and their results, Kyle Hanslovan, CEO of Huntress Labs has this to share:

“Bugs happen. And it’s not about when bugs happen, but it’s about what you do when they happen. We were happy to work with CRN earlier this week to confirm that ConnectWise had already patched 6 of the 8 items found. I think three things matter in this scenario: Were the bugs acknowledged, were the bugs fixed and was the company passionate about fixing them for the right reasons? I think ConnectWise came through on all three things, and after our positive conversation on January 23, we’re excited about continuing to work with ConnectWise and other vendors for the benefit of the channel as a whole.”

I want to assure our community that we understand the trust you place in our products and people. We take that trust seriously. You have our unrelenting commitment to security and transparency, and we appreciate your questions and feedback to our continuous improvement.

January 23, 2020: Updated Statement Regarding The Bishop Fox Report Findings

ConnectWise takes cybersecurity seriously and we realize that rumored and confirmed security incidents create stress and concern for our partners. Our partners and vendors can use Security@ConnectWise.com to report suspected security incidents related to our products or to inquire about a potential security incident that is associated with a ConnectWise product.

As a reflection of our commitment to cybersecurity, ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners. ConnectWise regularly conducts penetration tests performed by both internal and external resources. We have implemented ethical hacker training, OWASP processes, and consistently run vulnerability assessments on our systems and products. In addition, we have implemented tools that automatically evaluate behavior to reduce misuse of our products, started implementing machine learning to detect anomalies in logins, are about to launch a bug bounty program, as well as started the rollout of MFA and SSO across the platform.

Immediately after CRN published articles on January 21, 2020, about the potential vulnerabilities in ConnectWise Control, we immediately reached out to Huntress Labs to discuss their analysis and recommendations. Our conversation with Huntress Labs was collaborative and constructive, and they were receptive of our context regarding the reported issues.

We have also hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company to assess the findings from Bishop Fox and Huntress Labs as well as run their own independent vulnerability assessment. We look forward to sharing more information with you as we have it.

We believe that mitigating cybersecurity threats starts with understanding them. Please review the following FAQ about the security of ConnectWise Control in relation to the findings from Bishop Fox and Huntress Labs.

January 22, 2020: Original Statement Regarding The Bishop Fox Report Findings

In late September, ConnectWise received notification from a company known as Bishop Fox, an organization that operates as a consultant in the security space, stating they had identified vulnerabilities in ConnectWise Control. We had several conversations with Bishop Fox and asked for further information to assist in replicating their findings and thus facilitate any necessary improvements to our product.

Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual. In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities.

ConnectWise takes the security of our products and our partners very seriously. We appreciated the insights and based on their report, we did our own internal research and evaluation and addressed the points they raised in their review. With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019.

On January 21, 2020, ConnectWise again ran our own tests on 6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure. Within the next two weeks we will resolve a seventh item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.

ConnectWise looks at security as a dynamic threat and will continue to work to optimize security for our partners and community. We encourage partners and colleagues to contact us at security@connectwise.com with any questions or to report any issues.


ConnectWise uses various methods to communicate security vulnerability information to customers. A Security Bulletin is used when publicly disclosing security vulnerabilities discovered in ConnectWise offerings.

Alternative tools and processes are used, where appropriate, when targeted or discrete communication with entitled customers is required. To protect our customers, ConnectWise does not publicly disclose or confirm security vulnerabilities until ConnectWise has conducted an analysis of the product and has issued fixes and/or mitigations.

Security Bulletins notify customers about one or more vulnerabilities. These bulletins provide guidance to assist customers in assessing the impact of any actual or potential security vulnerability in the context of their environment.

ConnectWise Platform Security

The ConnectWise platform is an integral part of your operations and is a gateway to your clients’ sensitive business-critical data. Increasing our security measures and reducing vulnerabilities across the platform is a top priority for our entire organization to gain your confidence as your trusted vendor.

ConnectWise Bug Bounty Program

ConnectWise has launched a bug bounty program to supplement its own internal vulnerability management strategy boosting efforts to quickly identify and remediate bugs and security vulnerabilities in its software. Third party researchers and other security entities can report potential security vulnerabilities here.

The Security of the ConnectWise Platform

Your confidence in our ability to test and maintain a secure platform is essential to our partnership with you.

View our Product Security Updates >>

ConnectWise Security Vulnerability Management (CIRT)

ConnectWise Incident Response Team (CIRT) Overview

The ConnectWise Incident Response Team (CIRT) is a global team that manages the receipt, investigation, and internal coordination of security vulnerability information related to ConnectWise offerings. ConnectWise CIRT is a focal point for security researchers, industry groups, government organizations, and vendors to report potential ConnectWise vulnerabilities. This team will coordinate with ConnectWise product and solutions teams to investigate, and if needed, identify the appropriate response plan. Customers of ConnectWise offerings should continue to report all product-related issues, including potential security vulnerabilities, to ConnectWise Security. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.

ConnectWise Incident Response Team Process

When ConnectWise CIRT receives a report of a potential vulnerability from a third party, ConnectWise CIRT logs the issue with the supporting details and provides the tracking number to the vulnerability reporter. ConnectWise CIRT notifies the appropriate ConnectWise product teams of the potential vulnerability for analysis.

The appropriate product team attempts to reproduce the issue to verify whether it is a vulnerability.

After the initial analysis, the vulnerability undergoes further investigation by the product team to determine the underlying cause and possible methods of exploitation. The team completes the remediation plan for the vulnerability, taking into consideration the affected versions.

In some cases, ConnectWise CIRT may request additional information from the vulnerability reporter to understand the environment in which the vulnerability appears, ways to reproduce the issue, potential exploitation methods, etc.

Once the remediation is available, ConnectWise intends to notify the affected customers about the vulnerability through the use of either targeted communications or by issuing a public Security Bulletin. When ConnectWise discloses the vulnerability publicly, the Bulletin will include details such as the Common Vulnerability Scoring System (CVSS) base score and vector, a reference to the assigned Common Vulnerabilities and Exposures (CVE) identifier, remediation for the affected offering(s), and other relevant links that may cover additional information.

The last stage in ConnectWise CIRT process allows for ConnectWise CIRT to share findings with our Engineering team(s) to help minimize similar vulnerabilities in future ConnectWise offerings.

Report Security Vulnerabilities

A security vulnerability is a set of conditions in the design, implementation, operation, or management of a product or service. Vulnerabilities render the product or service unable to prevent an attack by an internal or external party, resulting in exploitations such as controlling or disrupting operation, compromising (such as deleting, altering or extracting) data, or assuming ungranted trust or identity.

Customers and other entitled users of a product or solution should report issues discovered in ConnectWise offerings to ConnectWise Security. If the ConnectWise Technical Support Team determines that a reported issue is a security vulnerability, it will contact the appropriate Security and/or System Integrity groups and inform ConnectWise PSIRT, as needed. These ConnectWise teams will collaborate as required to address the issue.

Third party researchers and other security entities, if you find a potential security vulnerability in ConnectWise assets, products and services, you to report this to ConnectWise Security.

Q: What is a vulnerability disclosure program?
A vulnerability disclosure program (VDP) offers guidance for how an organization would like to be notified about potential security vulnerabilities found by external third parties and how vulnerabilities are disclosed. Often called the “see something, say something" of the Internet, this public-facing program is an industry best practice. The VDP outlines how external third parties can report potential security vulnerabilities to ConnectWise so they can be safely resolved.

Q: What is ConnectWise doing to enhance its VDP?
ConnectWise is continually enhancing its VDP. Later in 2020, ConnectWise will add a managed vulnerability disclosure program that connects organizations with independent cybersecurity researchers. This enhancement to the program will provide ConnectWise with an external resource to provide an initial triage to issues identified by third parties.

Industry and Regulation Compliance

ConnectWise is routinely and thoroughly audited by independent third-party organizations and government agencies to ensure our products and practices comply with global and regional regulations and standards.

SOC2 logo SOC 2

Security, Availability & Confidentiality of ConnectWise Software

Review ConnectWise SOC Certifications >>
security compliance icon

General Data Protection Regulation and Your Data Security

Review ConnectWise GDPR Policy and Standards >>


We Are Proud to Be SOC 2 Type 2 Certified

As a reflection of our commitment to cybersecurity, ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners.

The intent of the SOC 2 audit is to assess and address the risks associated with using an outsourced service like ConnectWise, allowing you, our users, to have trust and confidence in us and manage the risk associated with our products. The reports provide assurance of the design and operating effectiveness of our control environment as they are the result of comprehensive, independent audits.

The ConnectWise SOC 2 Type 2 reports cover the Security, Availability, and Confidentiality principles of the AICPA Trust Services Criteria (TSC) for ConnectWise Manage®, ConnectWise Automate®, ConnectWise Sell®, and ConnectWise Control®. The ConnectWise SOC 2 Type 2 reports cover the Security, Privacy, and Confidentiality principles of the AICPA Trust Services Criteria (TSC) for ConnectWise Command®, ConnectWise Fortify®, ConnectWise Recover®, ConnectWise Assist®, ConnectWise Enable®, BrightGauge®, and ITBoost®.

Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.

Availability: Information and systems are available for operation and use to meet the entity’s objectives.

Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.

Privacy: Information designated as confidential is protected to meet the entity’s objectives.

To request a copy of our SOC2, send email to compliance@connectwise.com. Please indicate the relevant product(s) in your request.

Privacy Protection

You trust us with your data, and we’re committed to keeping it safe. ConnectWise adheres to strict industry privacy standards and complies with new privacy standards and mandates as they progress. We strive to be as transparent as possible with our data collection and usage practices, with a goal of providing best-in-class products, services, and web experiences for users. We understand that individual rights, requirements and policies vary significantly across the globe, as well as for various users and audience members.