CVE Vulnerability

CVE-2023-25718

The cryptographic code signing process and controls on ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect) are cryptographically flawed. An attacker can remotely generate or locally alter file contents and bypass code-signing controls. This can be used to execute code as a trusted application provider, escalate privileges, or execute arbitrary commands in the context of the user. The attacker tampers with a trusted, signed executable in transit.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.connectwise.com Product
https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/ Not Applicable
Configurations

Configuration 1

cpe:2.3:a:connectwise:control:*:*:*:*:*:*:*:*
Information

Published : 2023-02-13 08:15

Updated : 2023-02-23 03:24

NVD link : CVE-2023-25718

Mitre link : CVE-2023-25718

Products Affected
No products.
CWE
No CWE.