ConnectWise ScreenConnect Certificate Signing Extension Encrypted Configuration Value Exposure Vulnerability

A vulnerability exists in ConnectWise ScreenConnect deployments using the Certificate Signing Extension, versions prior to 1.0.12. Under certain conditions, encrypted configuration values, including keys related to Azure Key Vault, could be exposed to unauthenticated users through a client-facing endpoint. While the encrypted values remain securely stored at rest, their transmission in client responses creates a potential risk. The vulnerability arises from improper handling of configuration data, which can inadvertently leak sensitive information to the client side.

Impact

The vulnerability allows for the unintentional exposure of encrypted configuration values to unauthenticated users via client-facing endpoints. This could include sensitive keys related to Azure Key Vault, creating a risk of unauthorized access or manipulation of resources managed by the Key Vault.

Remediation

To address this vulnerability, on-premises partners should update the Certificate Signing Extension to version 1.0.12 or higher. ScreenConnect servers hosted in the 'screenconnect.com' cloud or 'hostedrmm.com' for Automate partners have already been updated to remediate the issue.