ConnectWise has revealed that due to security concerns it plans to rotate the digital code signing certificate used to sign Remote Monitoring and Management (RMM) executables for ScreenConnect, ConnectWise Automate and ConnectWise.
The company said it is doing so “due to concerns raised by third-party researchers about how ScreenConnect handled certain configuration data in previous versions.”
The company has not publicly elaborated on the nature of the issue, but it is shedding more light with private FAQs that only customers can access (and later shared on Reddit) –
The concern comes from screenconnect using the ability to store configuration data in the available space of the installer that is not signed but is part of the installer. This feature allows you to pass configuration information for connections (between the agent and server), such as URLs that the agent calls back without disabling the signature. Unsigned areas are used by software and others for customization, but when combined with the capabilities of remote control solutions, today’s security standards allow for insecure design patterns to be created.
In addition to issuing new certificates, the company said it is releasing an update designed to improve the way the aforementioned configuration data is managed by ScreenConnect.
The digital certificate revocation is scheduled to take place at 8pm on June 13th (12am on June 14th, UTC). Connectwise emphasizes that this issue does not involve system or certificate compromises.
It is worth noting that on all cloud instances of Automate and RMM, ConnectWise is in the process of automatically updating certificates and agents.
However, anyone using an on-premises version of ScreenConnect or Automate should update to the latest build and verify that all agents are updated before the cutoff date to avoid service disruption.
“We had already planned to increase certificate management and product hardening, but these efforts are now implemented in an accelerated timeline,” Connectwise said. We understand that this can pose challenges and are committed to supporting you through the transition. ”
The development comes days after it revealed that by leveraging CVE-2025-3935 to implement a code injection attack on viewing states, the threat actor suspected of a nation-state threat has breached the system and affected a small number of customers.
It also allows attackers to rely more and more on legal RMM software such as Screenconnect to obtain permanent remote access in stealth and infiltrate and fly under the radar.
This attack method, called Live-Off-The-Land (LOTL), allows you to hijack software’s unique features for remote access, file transfers, and command execution.
Source link
