UPDATE - ConnectWise Automate API Vulnerability

06/12/2020
Products: Automate
Severity: Critical
Priority: 1 - High

Vulnerability Details:

CVSS Score: 7.8

Description:

A remote authenticated user could exploit a vulnerability in a specific Automate API and execute commands and/or modifications within an individual Automate instance.

Remediation:

CLOUD PARTNERS:

  • ConnectWise has re-applied mitigation steps related to deployment of agent installations to address additional hardening measures that will be applied later today via a new hotfix or patch for partners.

ON-PREMISE PARTNERS:

  • 2020.5-2020.1 Partners, please apply the currently available hotfix, linked below based on your version, and then re-implement the mitigation steps described here.
    • 2020.5.176 is available here or the .exe file is here.
    • 2020.4.142 is available here or the .exe file is here.
    • 2020.3.113 is available here or the .exe file is here.
    • 2020.2.84 is available here or the .exe file is here.
    • 2020.1.52 is available here or the .exe file is here.
  • 2019.12 and prior partners, please implement or ensure you have implemented the mitigation steps described here. A hotfix for current version 2019.12 and a patch for prior versions is being made available soon.