Hardcoded AES Key Vulnerability in ConnectWise Risk Assessment Tool
CVE-2025-4876

6MEDIUM

Key Information:

Vendor: Connectwise
Status: Risk Assessment
Vendor: CVE Published:; 19 May 2025

🔔 Create Connectwise Vulnerability Alert

What is CVE-2025-4876?

The ConnectWise Risk Assessment tool contains a vulnerability that allows an attacker to extract a hardcoded AES decryption key directly from the binary file. This key, stored in plaintext, is used for cryptographic functions without implementing dynamic key management. Once the key is compromised, it can be utilized to decrypt sensitive CSV files involved in authenticated network scanning, potentially exposing confidential information.

Affected Version(s)

Risk Assessment All versions prior to deprecation (July 2023)

References

https://github.com/packetlabs/vulnerability-advisory/blob...

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2025
Vulnerability Reserved
May 16, 2025

Credit

Joey Melo ([email protected])

Ian Lin ([email protected])