Vulnerability Description
ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Connectwise | Control | < 22.9.10032 |
Related Weaknesses (CWE)
References
- https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/ExploitThird Party Advisory
- https://m.youtube.com/watch?v=fbNVUgmstSc&pp=0gcJCf0Ao7VqN5tD
- https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-sec
- https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/ExploitThird Party Advisory
- https://www.connectwise.comProduct
- https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-sec
- https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabiliti
FAQ
What is CVE-2023-25719?
CVE-2023-25719 is a vulnerability with a CVSS score of 8.8 (HIGH). ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected ...
How severe is CVE-2023-25719?
CVE-2023-25719 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25719?
Check the references section above for vendor advisories and patch information. Affected products include: Connectwise Control.