ConnectWise Automate 2024.3 security fix

03/14/2024
Products: Automate
Severity: Important
Priority: 2 - Moderate

Summary
ConnectWise Automate™ server version 2024.2 and earlier versions have been identified as vulnerable to blind SQL injection (time-based) within the API. This vulnerability could allow authenticated remote attackers to inject SQL commands, enabling them to read, modify, and delete database records when executing commands.

Vulnerability

CWE ID

Description

Base Score

Vector

CWE-89

Improper neutralization of special elements used in an SQL command (“SQL injection”)

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

Severity
Important—Vulnerabilities that could compromise confidential data or other processing resources but requires additional access / privilege to do so.

Priority 
2—Vulnerabilities that have elevated risk, but exploits are neither known nor anticipated to be imminent. Recommend updates within normal change management timelines but no longer than 30 days.

Affected versions
ConnectWise Automate server version 2024.2 and earlier versions are impacted. Remote agents are not directly impacted by this issue.

Remediation
Cloud
Cloud instances have already been updated to the latest Automate release and no action is required.

On-premise
Apply the 2024.3 release.

Note: While ConnectWise Automate remote agent updates are always recommended after a release, an update to the remote agent is not a requirement to remediate this vulnerability.

To update to the newest release, please click here.