ConnectWise Takes Proactive Measures to Address Security Concerns

Date: June 12, 2025
Author: Ravie Lakshmanan
Tags: Vulnerability, Software Security

ConnectWise recently announced plans to rotate the digital code signing certificates for several of its key products, including ScreenConnect, ConnectWise Automate, and ConnectWise remote monitoring and management (RMM) executables. This decision is driven by security issues identified by a third-party researcher concerning how ScreenConnect managed certain configuration data in earlier versions.

The Security Concern

While ConnectWise has not disclosed the specifics publicly, additional details surfaced in a private FAQ shared with customers and later discussed on platforms like Reddit. The primary issue involves ScreenConnect’s method of storing configuration data within an installer section that is not signed, though it remains a part of the installer package. This area is utilized to convey essential configuration data for connection setups, such as the URL where the agent should make callbacks. While the approach aims to maintain the digital signature’s validity, it raises concerns about creating an insecure design pattern under today’s security standards.

Planned Updates and Enhancements

In conjunction with the certificate rotation, ConnectWise is implementing an update intended to enhance the management of configuration data within ScreenConnect. This dual-action approach demonstrates the company’s commitment to addressing potential vulnerabilities proactively.

The revocation of the existing digital certificates is scheduled for June 13 at 8 p.m. ET (June 14, 12 a.m. UTC). Importantly, ConnectWise has clarified that this situation does not stem from any sort of compromise affecting their systems or certificates.

Automatic Updates and User Responsibilities

ConnectWise noted that it has already begun updating certificates and agents across all cloud instances of Automate and RMM. However, users operating on-premise versions of ScreenConnect or Automate must take initiative. These customers are urged to update to the latest build and confirm that all their agents are current before the specified cutoff to prevent service disruption.

ConnectWise reassured users by stating, "We had already planned enhancements to certificate management and product hardening, but these efforts are now being implemented on an accelerated timeline." The company recognizes that transitioning may present challenges and has committed to supporting its users throughout the process.

Recent Security Threats and Response

This security announcement follows closely on the heels of another significant concern: a suspected nation-state actor allegedly breaching ConnectWise’s systems and affecting a small user group by exploiting vulnerabilities (specifically CVE-2025-3935) for ViewState code injection attacks.

As cybercriminals increasingly leverage legitimate RMM software like ScreenConnect to gain covert, persistent remote access, the landscape of cybersecurity threats is evolving rapidly. This technique, known as "living-off-the-land" (LotL), allows attackers to manipulate the software’s native functionalities for remote access, file transfers, and command execution, effectively blending into legitimate system activity.

For continuous updates and more in-depth coverage of this unfolding situation in software security, follow us on Twitter and LinkedIn.