CVE-2025-4876

Hardcoded Key Revealed in ConnectWise Password Encryption Utility

Description

ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning.

Remediation

Solution:

  • ConnectWise deprecated the tool in July 2023 and provided a new utility that does not contain hardcoded keys. The previous tool relied on a third-party utility that required credentials to be stored locally to perform authenticated network scans. Partners who still have the deprecated tool on their systems should remove it.

Category

6.0
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.01%
Affected: ConnectWise Risk Assessment
Published at:
Updated at:

References

Link Tags
https://github.com/packetlabs/vulnerability-advisory/blob/main/Disclosures/PL-2025-11315/README.md

Frequently Asked Questions

What is the severity of CVE-2025-4876?
CVE-2025-4876 has been scored as a medium severity vulnerability.
How to fix CVE-2025-4876?
To fix CVE-2025-4876: ConnectWise deprecated the tool in July 2023 and provided a new utility that does not contain hardcoded keys. The previous tool relied on a third-party utility that required credentials to be stored locally to perform authenticated network scans. Partners who still have the deprecated tool on their systems should remove it.
Is CVE-2025-4876 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-4876 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-4876?
CVE-2025-4876 affects ConnectWise Risk Assessment.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.