CVE-2025-11492 CRITICAL

CVE-2025-11492: HTTP Configuration and Encryption in Transit

Vendor Connectwise
Product Automate
Weakness CWE-319 · Cleartext transmission
Published October 16, 2025
Last update February 26, 2026

CVSS base score

9.6/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.

Key dates

02Disclosure timeline

October 16, 2025 CVE published
February 26, 2026 Record updated