Jason Slagle

**Name of the Vulnerable Software and Affected Versions** ConnectWise Automate versions prior to 2020.7 ConnectWise Automate version 2019.12 before hotfix **Description** The issue is related to insufficient validation on certain authentication paths, allowing authentication bypass via a series of attempts. **Recommendations** For ConnectWise Automate versions prior to 2020.7, update to version 2020.7 or later. For ConnectWise Automate version 2019.12, apply the available hotfix.

**Name of the Vulnerable Software and Affected Versions** Connectwise Automate versions prior to 2020.7 Connectwise Automate versions prior to 2019.12 **Description** A SQL Injection issue exists in the probe code due to inadequate server-side validation, allowing arbitrary update commands to be run by modifying the table name. The code creates dynamic SQL for the insert statement and utilizes the user-supplied table name with little validation. Other SQL injection techniques, such as timing attacks, can be used to perform full data extraction. **Recommendations** For versions prior to 2020.7, update to version 2020.7 or later. For versions prior to 2019.12, apply the hotfix for 2019.12. As a temporary workaround, consider restricting access to the probe implementation to minimize the risk of exploitation.