CVE-2025-14823

Name of the Vulnerable Software and Affected Versions ScreenConnect versions prior to 1.0.12

Description In deployments utilizing the Certificate Signing Extension, encrypted configuration values, potentially including an Azure Key Vault-related key, could be disclosed to unauthenticated users via a client-facing endpoint under specific circumstances. While the values were encrypted and securely stored, their encrypted representation was potentially exposed in client responses. The issue relates to configuration handling occurring on the client side, allowing encrypted values to be transmitted to and rendered by client components.

Recommendations Update the Certificate Signing Extension to version 1.0.12 or higher to ensure configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components.