CVE-2023-25719
Severity CVSS v4.0:
Pending analysis
Type:
CWE-74
Injection
Publication date:
13/02/2023
Last modified:
19/06/2025
Description
ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations).
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:connectwise:control:*:*:*:*:*:*:*:* | 22.9.10032 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/
- https://m.youtube.com/watch?v=fbNVUgmstSc&pp=0gcJCf0Ao7VqN5tD
- https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures
- https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/
- https://www.connectwise.com
- https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures
- https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity