Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-14265

Summary
Assigner-ConnectWise
Assigner Org ID-7d616e1a-3288-43b1-a0dd-0a65d3e70a49
Published At-11 Dec, 2025 | 14:21
Updated At-12 Dec, 2025 | 04:55
Rejected At-
Credits

Improper server-side validation in ScreenConnect extension framework

In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:ConnectWise
Assigner Org ID:7d616e1a-3288-43b1-a0dd-0a65d3e70a49
Published At:11 Dec, 2025 | 14:21
Updated At:12 Dec, 2025 | 04:55
Rejected At:
▼CVE Numbering Authority (CNA)
Improper server-side validation in ScreenConnect extension framework

In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.

Affected Products
Vendor
ConnectWise
Product
ScreenConnect
Modules
  • Web Application Server
Default Status
unaffected
Versions
Affected
  • All versions prior to 2025.8
Problem Types
TypeCWE IDDescription
CWECWE-494CWE-494 Download of Code Without Integrity Check
Type: CWE
CWE ID: CWE-494
Description: CWE-494 Download of Code Without Integrity Check
Metrics
VersionBase scoreBase severityVector
3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-137CAPEC-137 Parameter Injection
CAPEC ID: CAPEC-137
Description: CAPEC-137 Parameter Injection
Solutions

Cloud: No action is required. ScreenConnect servers hosted in “screenconnect.com” cloud (standalone and Automate/RMM integrated) or “hostedrmm.com” for Automate partners have been updated to remediate the issue.    On-prem: * ScreenConnect Partners: Please upgrade to ScreenConnect version 25.8 and update your guest clients to the same version. Visit Download | ScreenConnect page to download and apply the update (access requires a valid on-premises license).  * Automate On-Prem Partners with ScreenConnect Integration:  Partners using an on-premises ScreenConnect installation integrated with Automate must ensure that the Automate ScreenConnect Extension is updated to version 4.4.0.16 before upgrading the ScreenConnect server to version 25.8. Once confirmed, visit the Automate Product Updates https://docs.connectwise.com/ConnectWise_Automate_Documentation/Automate_Product_Updates page to download and apply the ScreenConnect 25.8 update.

Configurations
Workarounds
Exploits
Credits
finder
Paul Whiting (Ultraviolet Cyber)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch
N/A
Hyperlink: https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:7d616e1a-3288-43b1-a0dd-0a65d3e70a49
Published At:11 Dec, 2025 | 15:15
Updated At:12 Dec, 2025 | 15:18

In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-494Secondary7d616e1a-3288-43b1-a0dd-0a65d3e70a49
CWE ID: CWE-494
Type: Secondary
Source: 7d616e1a-3288-43b1-a0dd-0a65d3e70a49
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch7d616e1a-3288-43b1-a0dd-0a65d3e70a49
N/A
Hyperlink: https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch
Source: 7d616e1a-3288-43b1-a0dd-0a65d3e70a49
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2025-11493
Matching Score-6
Assigner-ConnectWise LLC
ShareView Details
Matching Score-6
Assigner-ConnectWise LLC
CVSS Score-8.8||HIGH
EPSS-0.02% / 3.29%
||
7 Day CHG~0.00%
Published-16 Oct, 2025 | 19:00
Updated-29 Oct, 2025 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Self-Update Verification Mechanism Process in ConnectWise Automate

The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492.

Action-Not Available
Vendor-connectwiseConnectWise
Product-automateAutomate
CWE ID-CWE-494
Download of Code Without Integrity Check
CVE-2025-68109
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.23% / 45.96%
||
7 Day CHG~0.00%
Published-17 Dec, 2025 | 21:29
Updated-18 Dec, 2025 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ChurchCRM vulnerable to RCE with database restore functionality

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

Action-Not Available
Vendor-churchcrmChurchCRM
Product-churchcrmCRM
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-494
Download of Code Without Integrity Check
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Details not found