← Retour aux CVEs

CVE-2023-25718

CRITICAL

9.8

Description

In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie2/13/2023

Derniere modification6/19/2025

Sourcenvd

Observations honeypot0

Produits affectes

connectwise:control

Faiblesses (CWE)

CWE-347

References

https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/(cve@mitre.org)

https://m.youtube.com/watch?v=fbNVUgmstSc&pp=0gcJCf0Ao7VqN5tD(cve@mitre.org)

https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures(cve@mitre.org)

https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/(af854a3a-2127-422b-91ae-364da2661108)

https://www.connectwise.com(af854a3a-2127-422b-91ae-364da2661108)

https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures(af854a3a-2127-422b-91ae-364da2661108)

https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.