CVE-2023-25718

CVSS V2 None CVSS V3 None

Description

In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. NOTE: this may overlap CVE-2023-25719.

Overview

CVE ID
CVE-2023-25718

Assigner
cve@mitre.org

Vulnerability Status
Modified

Published Version
2023-02-13T20:15:11

Last Modified Date
2023-03-05T20:15:08

Weakness Enumerations

CWE	URL
CWE-347	http://cwe.mitre.org/data/definitions/347.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:connectwise:control::::::::	1	OR		22.9.10032

References

Reference URL	Reference Tags
https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/	Not Applicable
https://www.connectwise.com	Product
https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures
https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-25718
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25718

History

Created	Old Value	New Value	Data Type	Notes
2023-04-17 07:38:58				Added to TrackCVE
2023-04-17 07:38:59			Weakness Enumeration	new