MEDIUM✓ PATCH🇬🇧 English

CVE-2025-14823

CVSS 5.3v3.1pub. 2025-12-18upd. 2026-01-16

In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Connectwise Screenconnect

    APP
    Connectwise
    < 1.0.12
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
CWE
Referencje

Powiązane podatności

CVE-2024-1709CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Authentication Bypass w ConnectWise ScreenConnect — bezpośredni dostęp do systemów

CVE-2025-14265CRITICAL9.1PL ✓ten sam produkt

ConnectWise ScreenConnect — instalacja niezaufanych rozszerzeń z RCE

CVE-2025-3935HIGH8.1⚠ KEVten sam produkt

ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. AS...

CVE-2024-1708HIGH8.4⚠ KEVten sam produkt

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an at...

CVE-2023-47257HIGH8.1ten sam produkt

ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution v...

CVE-2025-14823 — MEDIUM 5.3 | CVEbaza.pl