CVE-2025-7204 is a medium-severity vulnerability affecting ConnectWise PSA versions prior to 2025.9. The flaw involves the insertion of sensitive information into sent data, specifically through API responses that return overly verbose user objects. Authenticated users making certain API requests can retrieve user objects containing encrypted password hashes of other users within the system. Although the hashes are encrypted, their exposure enables attackers or privileged users to perform offline brute-force or dictionary attacks to attempt to recover the original passwords. Successful password recovery could lead to credential compromise, unauthorized account access, and potential privilege escalation within the ConnectWise PSA environment. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data), indicating improper handling of sensitive data in communications. The CVSS v3.1 base score is 6.5, reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and resulting in high confidentiality impact without affecting integrity or availability. No known exploits in the wild have been reported yet, but the exposure of password hashes to authenticated users represents a significant risk, especially in managed service provider environments where ConnectWise PSA is commonly used for IT service management and automation.

For European organizations using ConnectWise PSA, this vulnerability poses a considerable risk to the confidentiality of user credentials. Compromise of passwords could enable attackers to gain unauthorized access to sensitive systems managed through the PSA platform, potentially leading to lateral movement, data breaches, or disruption of IT service management operations. Given that ConnectWise PSA is widely used by managed service providers (MSPs) and IT departments across Europe, exploitation could impact multiple clients and services simultaneously. The exposure of password hashes to authenticated users also raises insider threat concerns, where malicious or compromised internal users could leverage this vulnerability to escalate privileges or exfiltrate sensitive information. The risk is heightened in environments where password complexity is low or where password reuse is common, facilitating successful offline cracking attempts. Although the vulnerability does not directly affect system integrity or availability, the resulting credential compromise could indirectly lead to broader security incidents affecting European organizations’ operational security and compliance posture.

European organizations should prioritize upgrading ConnectWise PSA to version 2025.9 or later, where this vulnerability has been addressed. Until patching is possible, organizations should restrict API access to only trusted and necessary users, implementing strict role-based access controls to minimize exposure. Monitoring API usage logs for unusual or excessive requests that retrieve user data can help detect potential exploitation attempts. Additionally, enforcing strong password policies, including complexity requirements and regular rotation, will reduce the risk of successful offline brute-force attacks on exposed hashes. Implementing multi-factor authentication (MFA) for all PSA user accounts can further mitigate the impact of credential compromise. Organizations should also conduct security awareness training to reduce insider threat risks and review internal user privileges to ensure least privilege principles are applied. Finally, consider network segmentation and enhanced monitoring around the PSA environment to detect and respond to suspicious activities promptly.