ConnectWise Automate Security Vulnerability: RMM Software Hotfix Details for MSPs

ConnectWise is warning MSPs and customers about a security vulnerability with Automate, a widely deployed RMM (remote monitoring and management) software platform that has cloud and on-premises deployment models.

According to a statement from the company:

“ConnectWise is aware of a vulnerability in a ConnectWise Automate API that could potentially allow a remote user to execute modifications within an individual Automate instance. This affects on-premise and cloud based versions of the product.”

For ConnectWise Automate Cloud Partners: ConnectWise has applied mitigating controls to block any potential exploitation and has applied the hotfix across all environments as of 8:45 pm Eastern Time, June 10, 2020. The vast majority of partners are on Cloud 2020.5 — which contains the hotfix. For the small majority that are not on Cloud 2020.5, a mitigation is in place and a hotfix push is imminent.

For Connectwise Automate On-premises Partners: ConnectWise strongly urges Automate on-premises partners to run the 2020.5 release as part of a best practice to be on the most up-to-date version. Also, the company says:

  • On-premise partners should immediately consider the mitigating controls detailed here.
  • Hotfix for version 2020.5 is available here and the .exe file is here.
  • Hotfixes for older versions will be available in the coming days.
  • On-going updates on these hotfixes are available here.
  • Keep checking back for updates.

Also of Note

The June 10 alert follows a May 2020 warning about a ConnectWise Control phishing scam and ConnectWise Automate intrusion attempts. At the time of the May 2020 warnings, ConnectWise advised customers and partners to:

  1. carefully inspect emails related to Control to determine if they’re legitimate, and avoid clicking on phishing links; and
  2. upgrade to Automate 2020.1 or higher to ensure MFA (multi-factor authentication) is activated. (Though a best practice is to be on the most current Automate version — 2020.5 — ConnectWise notes.)

ConnectWise Improves Security Posture, Disclosure Processes

The publicly disclosed ConnectWise alerts align with a vow that CEO Jason Magee made in March 2020. At the time, Magee and company leaders outlined major ConnectWise security initiatives to harden the firm’s code base, and more effectively communicate security issues to partners.



Return Home



    Gavin Stone:

    Hi Joe. The recent security notice posted yesterday refers to an on-going event that requires mitigation steps for immediate protection followed by the installations of a hotfix to address the core vulnerability. It affects all version of Automate (including the latest). Patching to 2020.1 will NOT fix the vulnerability they are referencing.

    Joe Panettieri:

    Gavin: Thanks for your note. We’ve updated our coverage to more clearly draw a line between:

    1. a May 2020 warning from ConnectWise; and
    2. a June 10, 2020 warning from ConnectWise.

    Also, we’ve added deeper details about mitigations and fixes for the June 10 warning, based on a conversation with a ConnectWise spokesperson around 9:30 a.m. this morning.

    Thanks again for your readership and comment.


Leave a Reply

Your email address will not be published.