CVE-2025-4876 MEDIUM

CVE-2025-4876: Hardcoded Key Revealed in ConnectWise Password Encryption Utility

Vendor Connectwise
Product Risk Assessment
Weakness CWE-321
Published May 19, 2025
Last update September 3, 2025

CVSS base score

6.0/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning.

Key dates

02Disclosure timeline

May 19, 2025 CVE published
September 3, 2025 Record updated