ConnectWise Enhances Security with Certificate Rotation
ConnectWise, a prominent player in the IT management software industry, has recently taken significant steps to bolster its security framework by rotating its digital code signing certificates. This move comes in response to concerns raised by a third-party security researcher about potential misuse of configuration data by threat actors. Digital certificates play a crucial role in ensuring that software is from a trusted source and remains untampered. By rotating these certificates, ConnectWise aims to mitigate risks associated with potential exploits (BleepingComputer).
The urgency of this action is underscored by a phishing campaign identified by Sophos researcher Andrew Brandt, where attackers used pre-configured ConnectWise clients disguised as legitimate documents to deceive users. These malicious installers, although appearing digitally signed, were configured with the attackers’ server, making them difficult to detect (BleepingComputer). This incident highlights the importance of maintaining robust security measures to prevent such misuse.
Security Concerns and Actions Taken
Code Signing Certificate Rotation
ConnectWise has initiated the rotation of its digital code signing certificates used for signing ScreenConnect, ConnectWise Automate, and ConnectWise RMM executables due to security concerns. This decision was influenced by a third-party security researcher who raised issues regarding the potential misuse of configuration data by threat actors (BleepingComputer). Digital certificates are crucial as they assure users that the software they are downloading is from a trusted source and has not been tampered with. By rotating these certificates, ConnectWise aims to mitigate risks associated with potential exploits.
Phishing and Misuse of ConnectWise Clients
Sophos researcher Andrew Brandt highlighted a phishing campaign where attackers used pre-configured ConnectWise clients disguised as Social Security statements to deceive users (BleepingComputer). These malicious installers, although pre-configured with the attackers’ server, appeared digitally signed, adding a layer of trust and making it difficult for users to identify them as threats. While it remains unclear if this specific incident directly led to the rotation of the certificates, it underscores the importance of maintaining robust security measures to prevent such misuse.
Configuration Handling Issues
Concerns were raised about how ScreenConnect’s configuration handling could be exploited by malicious actors. This potential misuse requires system-level access, making it a critical security issue (Born’s Tech and Windows World). ConnectWise is actively working to address this configuration handling issue, which necessitated the rotation of the certificates. The company has emphasized that this action is not related to any previous security incidents but is a proactive measure to enhance security.
Remote Code Execution Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) has warned about a vulnerability in ConnectWise ScreenConnect that could allow attackers with privileged access to execute remote code on servers through malicious payloads (BleepingComputer). This vulnerability, linked to CVE-2025-3935, has been exploited in attacks suspected to be state-sponsored. Although ConnectWise has not commented on the specifics of the attack method, it has acknowledged that a small number of ScreenConnect customers were affected. This highlights the critical need for timely updates and patches to prevent exploitation.
Scheduled Certificate Updates
ConnectWise has scheduled the rotation of its digital signing certificates to ensure continued security and integrity of its software. Initially planned for June 10, 2025, at 10:00 p.m. ET, the update was later rescheduled to June 13, 2025, at 8:00 p.m. ET due to extended deadlines (Born’s Tech and Windows World). This update includes automatic certificate updates for all cloud instances of Automate and RMM, as well as agent updates. ConnectWise has assured customers that these actions are part of its ongoing security and reliability initiatives, accelerated due to recent requirements.
Proactive Security Measures
In response to the security concerns, ConnectWise is implementing several proactive measures to enhance its security posture. These include improvements to certificate management and overall product hardening (Born’s Tech and Windows World). By strengthening its security infrastructure, ConnectWise aims to prevent potential abuses and ensure the safety of its customers’ data. The company remains committed to addressing any vulnerabilities and maintaining the trust of its users through continuous security enhancements.
Final Thoughts
ConnectWise’s proactive approach to rotating its code signing certificates reflects a broader commitment to enhancing cybersecurity measures. By addressing vulnerabilities and improving certificate management, the company aims to safeguard its software and protect its users from potential threats. The scheduled updates and proactive security measures underscore ConnectWise’s dedication to maintaining the trust of its customers and ensuring the integrity of its products (Born’s Tech and Windows World). As cybersecurity threats continue to evolve, such initiatives are crucial in staying ahead of potential exploits and ensuring the safety of digital environments.
References
- ConnectWise rotating code signing certificates over security concerns. (2025). BleepingComputer. https://www.bleepingcomputer.com/news/security/connectwise-rotating-code-signing-certificates-over-security-concerns/
- ConnectWise updates server certificates: Update your software before June 10, 2025. (2025). Born’s Tech and Windows World. https://www.borncity.com/win/2025/06/09/connectwise-updates-server-certificates-update-your-software-before-june-10-2025/
