GCVE - cpe:2.3:a:connectwise:control:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:connectwise:control:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Connectwise (`ec651593-cf52-50f9-a1c6-3ea8640cab23`)
Product	Control (`9fc2e45e-026c-5564-b1de-aa052cedf5fe`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-25719`	vulnerable	2026-06-08 05:56:09.737914	Details available ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations). Published: 2023-02-13T00:00:00.000Z Updated: 2025-06-19T20:35:43.320Z Open on db.gcve.eu Reference links https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/ https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures https://m.youtube.com/watch?v=fbNVUgmstSc&pp=0gcJCf0Ao7VqN5tD	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-25718`	vulnerable	2026-06-08 05:56:09.737424	Details available In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. Published: 2023-02-13T00:00:00.000Z Updated: 2025-06-19T20:35:05.481Z Open on db.gcve.eu Reference links https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/ https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures https://m.youtube.com/watch?v=fbNVUgmstSc&pp=0gcJCf0Ao7VqN5tD	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-16516`	vulnerable	2026-06-08 05:13:08.499828	Details available An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username. Published: 2020-01-23T17:24:10.000Z Updated: 2024-08-05T01:17:40.215Z Open on db.gcve.eu Reference links https://know.bishopfox.com/advisories https://know.bishopfox.com/advisories/connectwise-control https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulnerabilities-are-severe-bishop-fox https://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chain-exploit-20-questions-for-security-researcher-bishop-fox	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.