CVE-2023-25719

Published: Feb 13, 2023

Modified: Jun 19, 2025

PUBLISHED

Description

ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations).

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/

https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures

https://m.youtube.com/watch?v=fbNVUgmstSc&pp=0gcJCf0Ao7VqN5tD

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-25719

Description

Affected Products

References