9.8

CVE-2023-25718

EPSS 0.41%
Veröffentlicht 13.02.2023 20:15:11
Zuletzt bearbeitet 19.06.2025 21:15:22
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Connectwise ≫ Control Version <= 22.9.10032

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.41%	0.604

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/

Not Applicable

https://www.connectwise.com

Product

https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures

https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity

https://m.youtube.com/watch?v=fbNVUgmstSc&pp=0gcJCf0Ao7VqN5tD

https://nvd.nist.gov/vuln/detail/CVE-2023-25718

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-25718

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-25718

EUVD