Skip to main content

ConnectWise Automate CVE-2026-9089

| EUVDEUVD-2026-31290 HIGH
Download of Code Without Integrity Check (CWE-494)
2026-05-21 ConnectWise GHSA-whv3-47vh-qhwp
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 16:30 vuln.today

DescriptionCVE.org

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.

AnalysisAI

Code integrity failure in ConnectWise Automate Agent versions prior to 2026.5 allows adjacent network attackers to substitute malicious components during plugin loading and self-update operations. The Automate agent does not fully verify the authenticity of downloaded components, enabling code execution at the agent's privilege level across managed endpoints. No public exploit identified at time of analysis, though the high CVSS score of 8.8 and the agent's deep system access make this a priority remediation for MSPs using the platform.

Technical ContextAI

ConnectWise Automate (formerly LabTech) is a remote monitoring and management (RMM) platform widely used by managed service providers to administer endpoint fleets. The agent component runs on managed endpoints and periodically downloads plugins and self-update payloads from the Automate server infrastructure. The vulnerability maps to CWE-494 (Download of Code Without Integrity Check), meaning the agent fetches executable components without sufficiently validating their cryptographic authenticity - for example, missing or weak signature verification on downloaded plugins and update binaries. The CPE cpe:2.3:a:connectwise:automate covers the Automate product line, and the EUVD record (EUVD-2026-31290) corroborates that all versions prior to 2026.5 are affected.

RemediationAI

Upgrade to ConnectWise Automate 2026.5 or later, the vendor-released patch identified in the ConnectWise security bulletin dated 2026-05-21 (https://www.connectwise.com/company/trust/security-bulletins/2026-05-21-connectwise-automate-bulletin); this is the primary and authoritative fix. Until the upgrade can be staged across all managed endpoints, restrict the network segments where Automate agents operate so that only the legitimate Automate server is reachable for plugin and update traffic - segment agent VLANs, enforce egress filtering to known-good Automate server IPs/hostnames, and monitor for ARP spoofing or rogue DHCP on agent subnets given the AV:A adjacent-network attack vector. Consider temporarily pausing automatic plugin loading and self-update where the product allows, accepting the trade-off of delayed legitimate updates and manual plugin management overhead, and audit recent plugin/update activity for anomalies before patching.

Share

CVE-2026-9089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy