Unrated severityNVD Advisory· Published Oct 16, 2025· Updated Feb 26, 2026

HTTP Configuration and Encryption in Transit

CVE-2025-11492

Description

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.

Affected products

Connectwise/Automatev5
Range: All versions prior to 2025.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fixmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000