{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6066", "assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "state": "PUBLISHED", "assignerShortName": "ConnectWise", "dateReserved": "2026-04-10T13:19:03.212Z", "datePublished": "2026-04-20T15:26:31.843Z", "dateUpdated": "2026-04-20T16:13:06.767Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "shortName": "ConnectWise", "dateUpdated": "2026-04-20T15:26:31.843Z"}, "title": "Unencrypted Client\u2011Server Communication in ConnectWise Automate\u2122 Solution Center", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-319", "description": "CWE-319 Cleartext transmission of sensitive information", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-117", "descriptions": [{"lang": "en", "value": "CAPEC-117 Interception"}]}], "affected": [{"vendor": "ConnectWise", "product": "Automate", "modules": ["Solution Center"], "versions": [{"status": "affected", "version": "All versions prior to 2026.4"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "ConnectWise has released a security update for ConnectWise Automate\u2122 that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network\u2011based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "ConnectWise has released a security update for ConnectWise Automate\u2122 that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network\u2011based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections."}]}], "references": [{"url": "https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"}}], "solutions": [{"lang": "en", "value": "Remediation\n\n\n\nCloud:\u00a0No action is required.\u00a0\n\nOn-Premise:\u00a0Apply the 2026.4 release.\n\n\nFor instruction on updating to the newest release, please\nreference this doc: Automate Release Notes Version 2026 - ConnectWise https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026 \n\nAfter applying the update, on-premises customers must\nensure the following configurations are in place:\n\n\n\n * An SSL certificate is bound to the Solution\nCenter on port 8484 to establish secure communication. Refer to the ConnectWise documentation for configuration steps: Solution Center Client and\nService HTTPS Update - ConnectWise\n * In some environments, antivirus or endpoint\nprotection products may interfere with the Automate patch installer or service\nbehavior during upgrades. If issues are encountered during installation or\nstartup, refer to the ConnectWise documentation for recommended antivirus\nexclusions: Automate Antivirus Exclusions for Windows https://docs.connectwise.com/ConnectWise_Automate_Documentation/060/040/010 \n * Ensure that the LTShare has a minimum of 1 GB of\nfree disk space prior to installation.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nIf you experience issues completing the update or\nrequired configuration steps, please contact ConnectWise\nSupport for assistance.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><b>Remediation</b></p>\n\n<p><u>Cloud:</u>&nbsp;<span>No action is required.&nbsp;</span></p><p><span><u>On-Premise:</u>&nbsp;</span><span>Apply the 2026.4 release.</span><span><br></span></p><p>For instruction on updating to the newest release, please\nreference this doc: <a href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026\">Automate Release Notes Version 2026 - ConnectWise</a> </p><p>After applying the update, on-premises customers must\nensure the following configurations are in place:</p><p></p><ul><li>An SSL certificate is bound to the Solution\nCenter on port 8484 to establish secure communication. Refer to the ConnectWise documentation for configuration steps: <a href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/070/270/Solution_Center_Client_and_Service_HTTPS_Update\">Solution Center Client and\nService HTTPS Update - ConnectWise</a></li><li><span>In some environments, antivirus or endpoint\nprotection products may interfere with the Automate patch installer or service\nbehavior during upgrades. If issues are encountered during installation or\nstartup, refer to the ConnectWise documentation for recommended antivirus\nexclusions:</span><span> </span><a href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/060/040/010\">Automate Antivirus Exclusions for Windows</a></li><li>Ensure that the LTShare has a minimum of 1 GB of\nfree disk space prior to installation.</li></ul><p></p><p>\n\n\n\n\n\n\n\n</p><p>If you experience issues completing the update or\nrequired configuration steps, please contact <a href=\"mailto:help@connectwise.com\">ConnectWise\nSupport</a> for assistance.</p>"}]}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:12:51.126302Z", "id": "CVE-2026-6066", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:13:06.767Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6066", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:12:51.126302Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:12:59.962Z"}}], "cna": {"title": "Unencrypted Client\u2011Server Communication in ConnectWise Automate\u2122 Solution Center", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-117", "descriptions": [{"lang": "en", "value": "CAPEC-117 Interception"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ConnectWise", "modules": ["Solution Center"], "product": "Automate", "versions": [{"status": "affected", "version": "All versions prior to 2026.4"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Remediation\n\n\n\nCloud:\u00a0No action is required.\u00a0\n\nOn-Premise:\u00a0Apply the 2026.4 release.\n\n\nFor instruction on updating to the newest release, please\nreference this doc: Automate Release Notes Version 2026 - ConnectWise https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026 \n\nAfter applying the update, on-premises customers must\nensure the following configurations are in place:\n\n\n\n * An SSL certificate is bound to the Solution\nCenter on port 8484 to establish secure communication. Refer to the ConnectWise documentation for configuration steps: Solution Center Client and\nService HTTPS Update - ConnectWise\n * In some environments, antivirus or endpoint\nprotection products may interfere with the Automate patch installer or service\nbehavior during upgrades. If issues are encountered during installation or\nstartup, refer to the ConnectWise documentation for recommended antivirus\nexclusions: Automate Antivirus Exclusions for Windows https://docs.connectwise.com/ConnectWise_Automate_Documentation/060/040/010 \n * Ensure that the LTShare has a minimum of 1 GB of\nfree disk space prior to installation.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nIf you experience issues completing the update or\nrequired configuration steps, please contact ConnectWise\nSupport for assistance.", "supportingMedia": [{"type": "text/html", "value": "<p><b>Remediation</b></p>\n\n<p><u>Cloud:</u>&nbsp;<span>No action is required.&nbsp;</span></p><p><span><u>On-Premise:</u>&nbsp;</span><span>Apply the 2026.4 release.</span><span><br></span></p><p>For instruction on updating to the newest release, please\nreference this doc: <a href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026\">Automate Release Notes Version 2026 - ConnectWise</a> </p><p>After applying the update, on-premises customers must\nensure the following configurations are in place:</p><p></p><ul><li>An SSL certificate is bound to the Solution\nCenter on port 8484 to establish secure communication. Refer to the ConnectWise documentation for configuration steps: <a href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/070/270/Solution_Center_Client_and_Service_HTTPS_Update\">Solution Center Client and\nService HTTPS Update - ConnectWise</a></li><li><span>In some environments, antivirus or endpoint\nprotection products may interfere with the Automate patch installer or service\nbehavior during upgrades. If issues are encountered during installation or\nstartup, refer to the ConnectWise documentation for recommended antivirus\nexclusions:</span><span> </span><a href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/060/040/010\">Automate Antivirus Exclusions for Windows</a></li><li>Ensure that the LTShare has a minimum of 1 GB of\nfree disk space prior to installation.</li></ul><p></p><p>\n\n\n\n\n\n\n\n</p><p>If you experience issues completing the update or\nrequired configuration steps, please contact <a href=\"mailto:help@connectwise.com\">ConnectWise\nSupport</a> for assistance.</p>", "base64": false}]}], "references": [{"url": "https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "ConnectWise has released a security update for ConnectWise Automate\u2122 that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network\u2011based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.", "supportingMedia": [{"type": "text/html", "value": "ConnectWise has released a security update for ConnectWise Automate\u2122 that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network\u2011based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319 Cleartext transmission of sensitive information"}]}], "providerMetadata": {"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "shortName": "ConnectWise", "dateUpdated": "2026-04-20T15:26:31.843Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6066", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:13:06.767Z", "dateReserved": "2026-04-10T13:19:03.212Z", "assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "datePublished": "2026-04-20T15:26:31.843Z", "assignerShortName": "ConnectWise"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ConnectWise has released a security update for ConnectWise Automate\u2122 that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network\u2011based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections."}], "id": "CVE-2026-6066", "lastModified": "2026-04-20T19:05:30.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "type": "Secondary"}]}, "published": "2026-04-20T16:16:50.123", "references": [{"source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "url": "https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin"}], "sourceIdentifier": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Automate", "source": "cna", "vendor": "ConnectWise"}, "product": "automate", "vendor": "connectwise"}], "analysis": {"en": {"generated_at": "2026-04-20T16:26:30.627130+00:00", "value": {"mitigation_remediation": ["Apply the 2026.4 release to all on\u2011premises servers", "Ensure an SSL certificate is bound to the Solution Center on port\u202f8484 after upgrading", "Add the recommended antivirus exclusions for the Automate installer and service", "Make sure LTShare has a minimum of 1\u202fGB free disk space before installation"], "summary": {"action": "Apply patch", "impact": "Unencrypted traffic interception"}, "threat_synthesis": {"affected_systems": "ConnectWise Automate deployments that use the on\u2011premises Solution Center are affected. The vulnerability is present in all on\u2011premises versions prior to the 2026.4 release; cloud\u2011based deployments do not require action.", "description_and_impact": "The vulnerability permits certain client-to-server communications in ConnectWise Automate\u2019s Solution Center to occur without transport\u2011layer encryption, which could allow an attacker who can observe the network to intercept and read the traffic. This loss of confidentiality can expose credentials or other sensitive data that is transmitted between clients and the server.", "risk_and_exploitability": "The CVSS score of 7.1 indicates moderate to high risk. While the EPSS score is not available, the nature of the flaw suggests that network\u2011based attackers could easily exploit it, especially in environments lacking proper segmentation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through an eavesdropping network path between client machines and the Solution Center, where an interceptor can capture unencrypted packets. Due to the absence of encryption, an attacker can obtain sensitive data but cannot remotely execute code or modify data."}}}}, "created": "2026-04-20T16:30:06.095448+00:00", "updated": "2026-04-20T16:30:06.277429+00:00", "vendors": ["connectwise", "connectwise$PRODUCT$automate"]}