ConnectWise is warning MSPs and customers about a security vulnerability with Automate, a widely deployed RMM (remote monitoring and management) software platform that has cloud and on-premises deployment models.
According to a statement from the company:
"ConnectWise is aware of a vulnerability in a ConnectWise Automate API that could potentially allow a remote user to execute modifications within an individual Automate instance. This affects on-premise and cloud based versions of the product."
For ConnectWise Automate Cloud Partners: ConnectWise has applied mitigating controls to block any potential exploitation and has applied the hotfix across all environments as of 8:45 pm Eastern Time, June 10, 2020. The vast majority of partners are on Cloud 2020.5 -- which contains the hotfix. For the small majority that are not on Cloud 2020.5, a mitigation is in place and a hotfix push is imminent.
For Connectwise Automate On-premises Partners: ConnectWise strongly urges Automate on-premises partners to run the 2020.5 release as part of a best practice to be on the most up-to-date version. Also, the company says:
- On-premise partners should immediately consider the mitigating controls detailed here.
- Hotfix for version 2020.5 is available here and the .exe file is here.
- Hotfixes for older versions will be available in the coming days.
- On-going updates on these hotfixes are available here.
- Keep checking back for updates.
Also of Note
The June 10 alert follows a May 2020 warning about a ConnectWise Control phishing scam and ConnectWise Automate intrusion attempts. At the time of the May 2020 warnings, ConnectWise advised customers and partners to:
- carefully inspect emails related to Control to determine if they're legitimate, and avoid clicking on phishing links; and
- upgrade to Automate 2020.1 or higher to ensure MFA (multi-factor authentication) is activated. (Though a best practice is to be on the most current Automate version -- 2020.5 -- ConnectWise notes.)
ConnectWise Improves Security Posture, Disclosure Processes
The publicly disclosed ConnectWise alerts align with a vow that CEO Jason Magee made in March 2020. At the time, Magee and company leaders outlined major ConnectWise security initiatives to harden the firm's code base, and more effectively communicate security issues to partners.