CVE-2025-4876 is a vulnerability identified in the ConnectWise Risk Assessment product, specifically within the ConnectWise-Password-Encryption-Utility.exe binary. This vulnerability arises from the use of a hardcoded AES decryption key embedded in plaintext within the executable. The key is used for cryptographic operations related to decrypting CSV input files that are utilized during authenticated network scanning processes. Because the key is hardcoded and not dynamically managed or protected, an attacker with access to the binary can perform reverse engineering techniques to extract this AES key. Once extracted, the attacker can decrypt the CSV files, potentially exposing sensitive information contained within these files. The vulnerability affects all versions of the product prior to its deprecation in July 2023. The CVSS 3.1 score assigned is 6.0 (medium severity), with an attack vector of local (AV:L), low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), and a scope change (S:C). The impact is high on confidentiality (C:H), with no impact on integrity or availability. No known exploits have been reported in the wild as of the publication date. This vulnerability is categorized under CWE-321, which concerns the use of hardcoded cryptographic keys, a recognized poor security practice that can lead to key compromise and subsequent data exposure. The lack of dynamic key management and embedding keys in binaries significantly weakens the cryptographic protections intended by the product, undermining trust in the confidentiality of the scanned data.

For European organizations using ConnectWise Risk Assessment, this vulnerability poses a significant confidentiality risk. The decrypted CSV files may contain sensitive network information, credentials, or configuration data used during authenticated scans, which if exposed, could facilitate further attacks such as lateral movement, privilege escalation, or targeted intrusions. Given that exploitation requires local access with high privileges, the threat is more relevant in environments where multiple users have elevated access or where insider threats exist. The scope change in the CVSS vector indicates that exploitation could affect resources beyond the initially vulnerable component, potentially impacting other systems or data flows. European organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, critical infrastructure) could face regulatory and reputational consequences if sensitive data is compromised. Additionally, the presence of this vulnerability in a widely used network security tool could undermine the overall security posture, as attackers might leverage decrypted data to bypass defenses. Although no exploits are currently known in the wild, the ease of extracting the key via reverse engineering means that motivated attackers could develop exploits, especially in targeted attacks against high-value European entities.

Organizations should immediately discontinue the use of affected versions of ConnectWise Risk Assessment and upgrade to versions released after July 2023 or alternative solutions that do not embed cryptographic keys in binaries. If upgrading is not immediately possible, restrict access to systems running the vulnerable utility to trusted administrators only, minimizing the risk of local privilege abuse. Employ application whitelisting and endpoint detection to monitor for unauthorized reverse engineering or binary tampering activities. Additionally, implement strict access controls and audit logging around the use of the encryption utility and the CSV input files to detect suspicious activities. Network segmentation can limit the exposure of sensitive scan data. Organizations should also consider encrypting sensitive data at rest and in transit using keys managed by secure key management systems external to the application. Finally, conduct security awareness training to highlight the risks of privilege misuse and the importance of protecting administrative credentials.