-
MDRAddress the growing frequency, type, and severity of cyber threats against SMB endpoints
-
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
-
Risk Assessment & Vulnerability ManagementIdentify unknown cyber risks and routinely scan for vulnerabilities
-
Identity ManagementSecure and streamline client access to devices and applications with strong authentication and SSO
-
Cloud App SecurityMonitor and manage SaaS security risks for the entire Microsoft 365 environment.
-
SASEZero trust secure access for users, locations, and devices
-
Enterprise-grade SOCProvide 24/7 threat monitoring and response backed by proprietary threat research and intelligence and certified cyber experts
-
Policy ManagementCreate, deploy, and manage client security policies and profiles
-
Incident Response ServiceOn-tap cyber experts to address critical security incidents
-
Cybersecurity GlossaryGuide to the most common, important terms in the industry
ConnectWise Automate 2024.3 security fix
03/14/2024
Summary
ConnectWise Automate™ server version 2024.2 and earlier versions have been identified as vulnerable to blind SQL injection (time-based) within the API. This vulnerability could allow authenticated remote attackers to inject SQL commands, enabling them to read, modify, and delete database records when executing commands.
Vulnerability
CWE ID |
Description |
Base Score |
Vector |
CWE-89 |
Improper neutralization of special elements used in an SQL command (“SQL injection”) |
8.8 |
Severity
Important—Vulnerabilities that could compromise confidential data or other processing resources but requires additional access / privilege to do so.
Priority
2—Vulnerabilities that have elevated risk, but exploits are neither known nor anticipated to be imminent. Recommend updates within normal change management timelines but no longer than 30 days.
Affected versions
ConnectWise Automate server version 2024.2 and earlier versions are impacted. Remote agents are not directly impacted by this issue.
Remediation
Cloud
Cloud instances have already been updated to the latest Automate release and no action is required.
On-premise
Apply the 2024.3 release.
Note: While ConnectWise Automate remote agent updates are always recommended after a release, an update to the remote agent is not a requirement to remediate this vulnerability.
To update to the newest release, please click here.