Connectwise · Connectwise Risk Assessment · CVE-2025-4876
Name of the Vulnerable Software and Affected Versions:
ConnectWise Risk Assessment (affected versions not specified)
Description:
The issue allows an attacker to extract a hardcoded AES decryption key via reverse engineering from the ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained, the key can be used to decrypt CSV input files used for authenticated network scanning.
Recommendations:
At the moment, there is no information about a newer version that contains a fix for this vulnerability.