ConnectWise has disclosed a high-impact vulnerability in its ConnectWise Automate platform that could allow attackers to bypass critical integrity validation during the agent’s plugin loading and self-update mechanisms, potentially enabling malicious code execution on affected on-premises deployments. Read this Cybersecurity Threat Advisory to learn how to minimize your risk.
What is the threat?
CVE-2026-9089 is a vulnerability in the ConnectWise Automate Agent where the agent does not fully verify the authenticity/integrity of components obtained during plugin loading and self-update operations. This aligns with CWE-494 (Download of code without integrity check), meaning components may be executed without undergoing full integrity validation. ConnectWise describes this as improper integrity validation during agent component acquisition, creating an opportunity for an attacker to introduce tampered components in relevant conditions.
Why is it noteworthy?
This is noteworthy because the vulnerability is rated CVSS 8.8 (High) and is assessed as having low attack complexity, with no privileges required and no user interaction, using an adjacent network attack context. In addition, the published metrics indicate potential impact to confidentiality, integrity, and availability, raising the likelihood of serious compromise. This is especially concerning in MSP environments where organizations widely deploy Automate agents across managed endpoints.
What is the exposure or risk?
This vulnerability impacts on-premises ConnectWise Automate deployments running versions earlier than 2026.5. ConnectWise notes that cloud-hosted instances have already been updated automatically, reducing exposure for managed cloud environments. Successful exploitation can enable an attacker to execute malicious components via the Automate Agent’s plugin loading/self-update behavior, leading to unauthorized code execution on the agent system. This could provide an attacker a foothold suitable for follow-on activity.
What are the recommendations?
Barracuda recommends the following to mitigate risk:
- Upgrade ConnectWise Automate on-premises to 2026.5 or later to address the integrity/authenticity validation issue affecting plugin loading and self-update components.
- Review for anomalous agent plugin loading / self-update activity by checking related network and agent/update telemetry for signs of unexpected component downloads or behavior (especially within the timeframe of unusual activity).
- Limit adjacent-network exposure by restricting network paths and access required for Automate operations, reducing the opportunity for an attacker to tamper with downloaded components during plugin loading/self-update workflows.
- Create an incident response plan for Automate compromise scenarios.
References
For more in-depth information about the recommendations, please visit the following links:
- https://radar.offseq.com/threat/cve-2026-9089-cwe-494-download-of-code-without-int-ce611409
- https://cybersecuritynews.com/connectwise-automate-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2026-9089
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
