UPDATE - ConnectWise Automate API Vulnerability

06/13/2020
Products: Automate
Severity: Critical
Priority: 1 - High

Vulnerability Details:

CVSS Score: 7.8

Description:

A remote authenticated user could exploit a vulnerability in a specific Automate API and execute commands and/or modifications within an individual Automate instance.

Remediation:

CLOUD PARTNERS:

  • ConnectWise re-applied mitigation steps related to deployment of agent installations to address additional hardening measures and we have applied the updated hotfix – 2020.5.178 – which includes the additional hardening measures.
  • With this hotfix, the mitigation that interrupted deployment features were removed.

ON-PREMISE PARTNERS:

  • On-premise partners should immediately apply the hotfix listed below based on their instance version.
    • 2020.5.178 is available here or the .exe file is here.
    • 2020.4.143 is available here or the .exe file is here.
    • 2020.3.114 is available here or the .exe file is here.
    • 2020.2.85 is available here or the .exe file is here.
    • 2020.1.53 is available here or the .exe file is here.
    • 2019.12.337 is available here or the .exe file is here.
  • 2019.11 or older partners, please ensure you have implemented the mitigation steps described here and we strongly encourage that you update to 2019.12 at a minimum.