What is CVE-2023-25718?

CVE-2023-25718 is a vulnerability in ConnectWise Control through version 22.9.10032 that allows the addition of instructions without invalidating the signature of an executable file.

How severe is CVE-2023-25718?

CVE-2023-25718 has a severity rating of 9.8, which is considered critical.

How does CVE-2023-25718 affect ConnectWise Control?

CVE-2023-25718 allows an attacker to add additional instructions to a signed executable file in ConnectWise Control, potentially leading to the execution of attacker-controlled code.

Is there a fix for CVE-2023-25718?

At the time of writing, there is no known fix or patch available for CVE-2023-25718. It is recommended to follow responsible security practices and stay alert for any updates from ConnectWise.

Where can I find more information about CVE-2023-25718?

You can find more information about CVE-2023-25718 on the ConnectWise website and in the provided references.

Vulnerability/
CVE-2023-25718

critical

9.8

CWE

347

13/2/2023

2/8/2024

CVE-2023-25718

First published: Mon Feb 13 2023(Updated: )

** DISPUTED ** In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. NOTE: this may overlap CVE-2023-25719. NOTE: the vendor's position is that this purported vulnerability represents a "fundamental lack of understanding of Authenticode code signing behavior."

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
ConnectWise Control	<=22.9.10032
	<=22.9.10032

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-25718?
CVE-2023-25718 is a vulnerability in ConnectWise Control through version 22.9.10032 that allows the addition of instructions without invalidating the signature of an executable file.
How severe is CVE-2023-25718?
CVE-2023-25718 has a severity rating of 9.8, which is considered critical.
How does CVE-2023-25718 affect ConnectWise Control?
CVE-2023-25718 allows an attacker to add additional instructions to a signed executable file in ConnectWise Control, potentially leading to the execution of attacker-controlled code.
Is there a fix for CVE-2023-25718?
At the time of writing, there is no known fix or patch available for CVE-2023-25718. It is recommended to follow responsible security practices and stay alert for any updates from ConnectWise.
Where can I find more information about CVE-2023-25718?
You can find more information about CVE-2023-25718 on the ConnectWise website and in the provided references.

collector/nvd-index
agent/references
agent/author
agent/type
agent/first-publish-date
agent/severity
agent/weakness
agent/status
agent/softwarecombine
agent/description
agent/event
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
collector/mitre-cve
source/MITRE
status/disputed
vendor/connectwise
canonical/connectwise control
version/connectwise control/22.9.10032

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.