ConnectWise Automate Agent versions before 2026.5 suffer from a CWE-494 vulnerability where the agent fails to fully verify the integrity and authenticity of code components obtained during plugin loading and self-update processes. This flaw could allow an attacker to supply malicious code that the agent would accept and execute. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting high impact on confidentiality, integrity, and availability. The vendor indicates that the issue is fixed in version 2026.5, but no explicit vendor advisory or patch link is provided in the data. The product is not a cloud service, so remediation depends on applying the updated software version.

Successful exploitation could lead to complete compromise of the ConnectWise Automate Agent, allowing an attacker to execute arbitrary code with the privileges of the agent. This impacts confidentiality, integrity, and availability of the affected system. No known active exploits have been reported, but the high CVSS score indicates a serious risk if exploited.

Upgrade ConnectWise Automate to version 2026.5 or later, where this vulnerability is addressed. Since the product is not a cloud service, remediation requires applying the official software update. Patch status is not explicitly confirmed beyond the vendor's statement that the issue is fixed in 2026.5, so verify with ConnectWise official advisories for the latest remediation guidance.