CVE-2025-7204 is a vulnerability identified in ConnectWise PSA versions prior to 2025.9. The issue involves the insertion of sensitive information into sent data, specifically through API responses that return an overly verbose user object. Authenticated users making certain API requests can retrieve encrypted password hashes belonging to other users within the system. This exposure of password hashes constitutes a CWE-201 vulnerability, where sensitive information is inappropriately included in transmitted data. Although the hashes are encrypted, an attacker or a privileged user with valid authentication can perform offline brute-force or dictionary attacks against these hashes to attempt to recover plaintext credentials. Successful compromise of user credentials could lead to unauthorized access to user accounts and potentially enable privilege escalation within the ConnectWise PSA environment. The vulnerability does not require user interaction and can be exploited remotely over the network by any authenticated user with low attack complexity. The CVSS v3.1 base score is 6.5 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches are linked yet, indicating that organizations using affected versions should prioritize mitigation and monitoring.

For European organizations utilizing ConnectWise PSA, this vulnerability poses a significant risk to the confidentiality of user credentials. As ConnectWise PSA is widely used by managed service providers (MSPs) and IT service organizations, a compromise could cascade to multiple client environments managed through the platform. Credential compromise could allow attackers to impersonate legitimate users, access sensitive customer data, and potentially escalate privileges to administrative levels within the PSA system. This could disrupt service management workflows, expose sensitive business and client information, and undermine trust in service providers. Given the medium severity and the requirement for authentication, the threat is more pronounced in environments with weak internal access controls or where user credentials are shared or reused. Additionally, the ability to conduct offline attacks on password hashes increases the risk over time, especially if strong password policies are not enforced. The lack of impact on integrity and availability means the system’s operations may continue uninterrupted while confidentiality is silently compromised, making detection more difficult.

European organizations should take immediate steps to mitigate this vulnerability beyond generic patching advice. First, upgrade ConnectWise PSA to version 2025.9 or later as soon as an official patch is available. Until then, restrict API access to trusted users only and enforce the principle of least privilege to limit authenticated users' ability to make API calls that return user objects. Implement strong password policies with high complexity and length requirements to reduce the effectiveness of offline brute-force attacks on exposed hashes. Enable multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise leading to unauthorized access. Monitor API usage logs for unusual or excessive requests that could indicate attempts to enumerate user hashes. Conduct regular audits of user permissions and remove unnecessary privileged accounts. Consider network segmentation to isolate the PSA system and reduce exposure. Finally, educate users about the risks of credential reuse and encourage regular password changes to limit the window of opportunity for attackers.