Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-14265
PUBLISHED
More InfoOfficial Page
Assigner-ConnectWise
Assigner Org ID-7d616e1a-3288-43b1-a0dd-0a65d3e70a49
View Known Exploited Vulnerability (KEV) details
Published At-11 Dec, 2025 | 14:21
Updated At-12 Dec, 2025 | 04:55
Rejected At-
▼CVE Numbering Authority (CNA)
Improper server-side validation in ScreenConnect extension framework

In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.

Affected Products
Vendor
ConnectWise
Product
ScreenConnect
Modules
  • Web Application Server
Default Status
unaffected
Versions
Affected
  • All versions prior to 2025.8
Problem Types
TypeCWE IDDescription
CWECWE-494CWE-494 Download of Code Without Integrity Check
Type: CWE
CWE ID: CWE-494
Description: CWE-494 Download of Code Without Integrity Check
Metrics
VersionBase scoreBase severityVector
3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-137CAPEC-137 Parameter Injection
CAPEC ID: CAPEC-137
Description: CAPEC-137 Parameter Injection
Solutions

Cloud: No action is required. ScreenConnect servers hosted in “screenconnect.com” cloud (standalone and Automate/RMM integrated) or “hostedrmm.com” for Automate partners have been updated to remediate the issue.    On-prem: * ScreenConnect Partners: Please upgrade to ScreenConnect version 25.8 and update your guest clients to the same version. Visit Download | ScreenConnect page to download and apply the update (access requires a valid on-premises license).  * Automate On-Prem Partners with ScreenConnect Integration:  Partners using an on-premises ScreenConnect installation integrated with Automate must ensure that the Automate ScreenConnect Extension is updated to version 4.4.0.16 before upgrading the ScreenConnect server to version 25.8. Once confirmed, visit the Automate Product Updates https://docs.connectwise.com/ConnectWise_Automate_Documentation/Automate_Product_Updates page to download and apply the ScreenConnect 25.8 update.

Configurations
Workarounds
Exploits
Credits
finder
Paul Whiting (Ultraviolet Cyber)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch
N/A
Hyperlink: https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found