Share This:

Threat Update

This month, it was discovered that ConnectWise Automate versions 2021.6.131 and prior are vulnerable to exploits that allow threat actors to remotely execute code and access confidential data by performing XML external entity (XXE) injection attacks. The severity of this vulnerability is considered critical and should be patched immediately on all affected systems.

Technical Detail & Additional Information


Unpatched versions of ConnectWise Automate possess a weakly configured XML parser that does not properly validate user-supplied XML inputs, leaving the system vulnerable to XXE injection attacks.

With a weakly configured XML parser, an attacker may supply the system with a tainted XML input that causes the system to echo back the targeted data—often located in commonly named paths that may be easily guessed by an attacker, such as “file:///etc/passwd” in Unix-based systems—in the form of an error message. This can expose passwords, personally identifiable information (PII), and other confidential data that may be sold or used by the attacker to gain a foothold into the organization’s broader systems. XXE injections can also be used for denial of service (DOS) attacks, server-side request forgery (SSRF), and port scanning.


ConnectWise Automate is a key enterprise product for many Managed Services Providers. An XXE attack on an MSP’s unpatched instance of ConnectWise Automate can lead to the disclosure of confidential data and broad damage of infrastructure, severely impacting the activities of both the MSP and its customers.


ConnectWise Automate versions 2021.6.131 and prior are vulnerable to XXE attacks. Threat actors can use these attacks as the first step in a full-scale systems compromise—damaging infrastructure, exposing confidential data, and causing the targeted organization to suffer lost business and costly compliance violations.


If you have a cloud instance of ConnectWise Automate, no action is required. Cloud instances have already been patched. If your business has an on-premise instance, you should deploy the following patch,, as soon as possible:


For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.

Share This:
Doris Au

Posted by Doris Au

Doris is a product marketing manager at Barracuda MSP. In this position, she is responsible for connecting managed service providers with multi-layered security and data protection products that can protect their customers from today’s advanced cyber threats.

Leave a reply

Your email address will not be published. Required fields are marked *