CVE-2023-25718

Name of the Vulnerable Software and Affected Versions ConnectWise Control versions through 22.9.10032

Description The issue concerns the cryptographic code signing process in ConnectWise Control. It allows an attacker to add instructions to a signed executable file without invalidating the signature, potentially leading to the execution of an attacker-controlled file. This could result in code execution as a trusted application provider, privilege escalation, or the execution of arbitrary commands in the context of the user. The attacker can tamper with a trusted, signed executable in transit.

Recommendations For ConnectWise Control versions through 22.9.10032, consider utilizing the available configuration options to add mitigations. As a temporary workaround, restrict the execution of files that have been altered in transit to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.