What is CVE-2023-25719?

CVE-2023-25719 is a vulnerability in ConnectWise Control (formerly known as ScreenConnect) that allows for the injection of malicious code into a downloaded executable.

What is the severity of CVE-2023-25719?

The severity of CVE-2023-25719 is high, with a severity value of 8.8.

How does CVE-2023-25719 affect ConnectWise Control?

CVE-2023-25719 affects ConnectWise Control versions before 22.9.10032 by failing to validate user-supplied parameters, which can result in the injection of malicious code into downloaded executables.

How can I fix CVE-2023-25719?

To fix CVE-2023-25719, it is recommended to upgrade ConnectWise Control to version 22.9.10032 or higher, which includes the necessary validation of user-supplied parameters.

CWE-74 is a code injection vulnerability that occurs when untrusted data is used to construct dynamic code that is executed by the application.

Vulnerability/
CVE-2023-25719

high

8.8

CWE

13/2/2023

2/8/2024

CVE-2023-25719

First published: Mon Feb 13 2023(Updated: )

ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations).

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
ConnectWise Control	<22.9.10032

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-25719?
CVE-2023-25719 is a vulnerability in ConnectWise Control (formerly known as ScreenConnect) that allows for the injection of malicious code into a downloaded executable.
What is the severity of CVE-2023-25719?
The severity of CVE-2023-25719 is high, with a severity value of 8.8.
How does CVE-2023-25719 affect ConnectWise Control?
CVE-2023-25719 affects ConnectWise Control versions before 22.9.10032 by failing to validate user-supplied parameters, which can result in the injection of malicious code into downloaded executables.
How can I fix CVE-2023-25719?
To fix CVE-2023-25719, it is recommended to upgrade ConnectWise Control to version 22.9.10032 or higher, which includes the necessary validation of user-supplied parameters.
What is CWE-74?
CWE-74 is a code injection vulnerability that occurs when untrusted data is used to construct dynamic code that is executed by the application.

collector/nvd-index
agent/severity
agent/type
agent/author
agent/weakness
agent/event
agent/references
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/description
agent/tags
collector/mitre-cve
source/MITRE
vendor/connectwise
canonical/connectwise control

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.