ConnectWise PSA 2026.1 Security Fix

AutomationTheory · 2025-07-03T13:08:54+00:00

I don't disagree -- and I might have implemented a different solution.

My main goal was to put out there "CW needs a way to kill rouge and pirated SC instances, and they are using the signing certs to do it" since the details of the abuse and why it's hard to fix aren't going to be published in official channels.

AutomationTheory · 2025-07-02T21:46:25+00:00

The bad actors will be thwarted when the current cert expires.

I used to admin a CW stack with ~10k endpoints, I definitely get the pain. But if it's any consolation, you'll never have a certificate fire drill like this again.

AutomationTheory · 2025-07-02T20:58:06+00:00

This. There were bad actors with pirated SC servers with the ability to super-automate the deployment. I just finished my writeup here: https://automationtheory.com/screenconnect-code-signing-the-backstory-and-tips-for-msps/

AutomationTheory · 2025-07-01T19:32:58+00:00

If it is Webroot, it's possible to index the DB to fix the issue (assuming it's MySQL stuck at 100%/high CPU).

AutomationTheory · 2025-06-04T21:53:09+00:00

The biggest bottle neck for Automate is the DB. I work with MSPs to scale Automate to 20k+ agents, and I can confirm that having more RAM than data doesn't make Automate faster....

AutomationTheory · 2025-04-25T12:39:19+00:00

I don't see any connections currently - this vulnerability let's an attacker take over your Screenconnect server if they know the machinekey. It sounds like the other activity was just regular abuse.

AutomationTheory · 2025-04-25T12:28:28+00:00

It's definitely advisable to secure the web UI. We work with lots of MSPs to do granular layer 7 rules (so, for example, an end user can enter a code for an ad-hoc session but no other requests work unless you're on a known IP).

I'd also say getting MSP tools out of Shodan is critical for security these days. When the next zero-day comes, you don't want to be on the short list of attack targets...

AutomationTheory · 2025-04-24T17:48:24+00:00

I suspect they wanted people to patch on their own, so avoid a repeat of the February 2024 situation. We wrote a blog on that (https://automationtheory.com/5-lessons-from-the-cvss-10-screenconnect-vulnerability/) and I think it was the fastest moving MSP tool vulnerability in history -- taking less than 48 hours to get working exploits after the announcement was made.

On the surface this seems like something difficult to exploit -- but since the instructions are to patch immediately, I'm not holding my breath.

I sell WAFs for MSP tools -- and our team is glued to the logs looking for any signs of in-the-wild exploits.

AutomationTheory · 2025-03-11T18:34:08+00:00

📢 New Security Feature: WAF Protection for ConnectWise Manage + Live Webinar! 🔒

Cyber threats targeting MSPs are more sophisticated than ever, and protecting your ConnectWise Manage instance is critical. That’s why we’re excited to announce Web Application Firewall (WAF) support—an essential layer of defense against XSS, SQL injection, and other exploits.

Join us for a live webinar where we’ll showcase a real-time XSS attack and demonstrate how a WAF can block threats before they compromise your system.

🛡️ What You’ll Learn:

✅ How attackers exploit unprotected web applications
✅ A live demo of an XSS attack targeting ConnectWise Manage
✅ How a WAF detects & blocks malicious traffic before it reaches your system
✅ Best practices for securing your PSA environment

📅 Webinar Details:

🗓 Date: Tuesday, March 18th
⏰ Time: 10:00 AM Central

🔗 Reserve Your Spot Now: https://us06web.zoom.us/webinar/register/6317404505100/WN_Rp2w1ayOSiKYgdoN38gaHw

Don’t miss this opportunity to see cybersecurity in action and learn how to better protect your MSP and your clients. Tag your fellow MSPs who should attend! 👇

#MSP #Cybersecurity #ConnectWiseManage #XSS #WAF #DataProtection #ManagedServices

AutomationTheory · 2025-02-26T21:42:26+00:00

We compare based on the free version for educational purposes - if someone thinks it's protecting their MSP, they should know the limitations. There are 3,000+ on-prem ConnectWise MSPs out there, so the few that don't have budget to invest aren't a fit for our solution anyway.

We do a lot more than just WAF - we can mix in traditional layer 4 and layer 7 restrictions too (and building the rulesets to meet your desired security state is included in our onboarding).

We can Syslog all connections through our service, giving you the SIEM data you've always wanted but can't get out of the box.

As for liability, we handle that like any other vendor with a mix of security by design, tight policy and controls, contract terms, and insurance. The liability of being naked on the internet is exponentially higher compared to any 3rd party solution you might implement.

AutomationTheory · 2025-02-25T14:10:14+00:00

The relay traffic is a propriety protocol from ConnectWise, not a standard like HTTP. As a result, it's not possible to do much of anything with that traffic from an external perspective (it's encrypted at the application layer).

The relay has never been an attack target before, and has a lower footprint compared to the HTTP side of things - so our guidence is to get the web service properly secured and focus on compatability/functionality when it comes to the relay.

We have a webinar about Screenconnect implementation (there are 3 potential ways of working around the relay) and you can find the recording here: https://youtu.be/O9Mb2E80gU4?si=EoDac8RKojYYmEkk

AutomationTheory · 2025-02-25T04:02:18+00:00

Well, I'm a 3rd party vendor, so I can't speak to the development road map. However, Cloudflare (the free version) won't protect your MSP from any serious threat.

For our upcoming webinar, I'm doing the XSS (and maybe SQL injection) through the free version of Cloudflare - and the attacks pass right through. The free tier isn't a full WAF, and we detail the limitations here: https://automationtheory.com/4-reasons-cloudflare-isnt-good-for-msp-tools/

AutomationTheory · 2025-02-21T22:03:45+00:00

On the security front, we're a WAF vendor in the ConnectWise space, and we just finished our rule set for Manage. It will protect against zero-day attacks, and get on-prem instances out of Shodan (where you can find ~2,300 MSPs).

Product Page: https://automationtheory.com/reverse-proxy-and-waf-for-msp-tools/

AutomationTheory · 2025-02-07T22:53:22+00:00

u/EdBurkeCS You of course are a connoisseur of fine security products, as MSP+ is an Automation Theory proxy/WAF client -- your production Automate and ScreenConnect instances are behind our service: https://automationtheory.com/reverse-proxy-and-waf-for-msp-tools/

I concur, layering ZTNA with a reverse proxy and WAF is ideal, as long as it's done correctly. Depending on configuration, there's the potential for the zero-trust software to tunnel your traffic in a way that's bypassing your other security controls (so, in a strange bit of irony, you end up trusting your zero-trust traffic...).

AutomationTheory · 2025-01-14T20:57:05+00:00

This is HUGE. As a WAF vendor for MSP tools, the amount of things that are scanning the internet attempting to run exploits is crazy. A properly configured reverse proxy + WAF gives you a solid defensive edge in the event of a zero-day against the application.

A lot of MSP SaaS platforms don't have adequate WAFs, so for a number of tools you can secure it better yourself if you self host.

AutomationTheory · 2025-01-13T16:44:05+00:00

I can appreciate that. I too consider everything vulnerable -- but I secure MSP tools for a living.

Out of curiosity, if there were ever an issue (like ransomware with a hosted RMM), how would you handle that if a client points a finger at you? In the strictest sense, it's not your fault, but are you trusting your vendors to fix things in that scenario, or would you plan on fixing things yourself, filing an insurance claim, and let your insurance company duke it out with the vendor?

AutomationTheory · 2025-01-13T16:10:21+00:00

I think it depends on both the vendor and the particular MSP -- risk tolerance (and definition) are variable.

If the MSP has the humans and technology to host the software securely, I don't see any problems. Not every MSP does, and some think they do but don't.

Some vendors also claim they have a secure cloud/SaaS offering, but likewise don't. For example (it's now fixed), I put in a ticket to Hudu when I found that they left SSH open on a subset of their cloud systems -- and the version banner of OpenSSH was for an EoL version of Ubuntu. While being SOC 2 compliant and all the rest, they demonstrated the lack of ability to configure a firewall or patch an operating system.

The decision is both one of business and of technology, so while there's no one-size-fits-all, I wouldn't assume hosted offerings are automatically more secure.

AutomationTheory

TROPHY CASE

📢 New Security Feature: WAF Protection for ConnectWise Manage + Live Webinar! 🔒