CVE-2023-23127

Name of the Vulnerable Software and Affected Versions Connectwise Control version 22.8.10013.8329

Description The login page of Connectwise Control does not implement HSTS headers, which results in not enforcing HTTPS. The vendor's position is that this behavior is controlled by a configuration option, allowing customers to choose HTTP over HTTPS during troubleshooting.

Recommendations For version 22.8.10013.8329, consider configuring the system to use HTTPS instead of HTTP, especially during normal operation, to minimize the risk of exploitation. As a temporary workaround, restrict access to the login page to trusted sources until a more permanent solution is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.