CVE-2023-25719
Summary
| CVE | CVE-2023-25719 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-02-13 20:15:00 UTC |
| Updated | 2023-03-05 20:15:00 UTC |
| Description | ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations). |
Risk And Classification
Problem Types: CWE-74
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Connectwise | Control | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Clearing the Air: Overblown Claims of Vulnerabilities, Exploits & Severity | MISC | www.huntress.com | |
| Hijacking Connectwise Control & Screen Connect (v.22.9.10032, MULTIPLE) for Fun and Profit - From DDoS to Multi-OS RCE! - CYBIR - Cyber Security, Incident Response, & Digital Forensics | MISC | cybir.com | |
| The Importance of Responsible Security Disclosures | MISC | www.connectwise.com | |
| MSP Technology | IT Management Software | ConnectWise | MISC | www.connectwise.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.