Automate
Monthly
Code integrity failure in ConnectWise Automate Agent versions prior to 2026.5 allows adjacent network attackers to substitute malicious components during plugin loading and self-update operations. The Automate agent does not fully verify the authenticity of downloaded components, enabling code execution at the agent's privilege level across managed endpoints. No public exploit identified at time of analysis, though the high CVSS score of 8.8 and the agent's deep system access make this a priority remediation for MSPs using the platform.
Unencrypted client-server communications in ConnectWise Automate Solution Center expose sensitive data to network interception in all versions before 2026.4. Remote authenticated attackers with network access can capture Solution Center traffic containing potentially high-value confidential information (CVSS:3.1 C:H). No active exploitation confirmed at time of analysis. EPSS data unavailable for this recent CVE.
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 17.3%.
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in multiple services via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
Code integrity failure in ConnectWise Automate Agent versions prior to 2026.5 allows adjacent network attackers to substitute malicious components during plugin loading and self-update operations. The Automate agent does not fully verify the authenticity of downloaded components, enabling code execution at the agent's privilege level across managed endpoints. No public exploit identified at time of analysis, though the high CVSS score of 8.8 and the agent's deep system access make this a priority remediation for MSPs using the platform.
Unencrypted client-server communications in ConnectWise Automate Solution Center expose sensitive data to network interception in all versions before 2026.4. Remote authenticated attackers with network access can capture Solution Center traffic containing potentially high-value confidential information (CVSS:3.1 C:H). No active exploitation confirmed at time of analysis. EPSS data unavailable for this recent CVE.
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 17.3%.
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in multiple services via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.