Crypto operations relying on managed IT services received a stark reminder of infrastructure risk this week after ConnectWise disclosed two critical vulnerabilities in its Automate remote monitoring and management (RMM) platform. The flaws, tracked as CVE-2025-11492 and CVE-2025-11493, enable adversary-in-the-middle (AiTM) attacks that could compromise every endpoint under an MSP's management—including systems handling digital asset transactions and wallet operations.
The Exploit Mechanics
The first vulnerability, CVE-2025-11492, carries a CVSS v3.1 score of 9.6 and stems from cleartext HTTP transmission of sensitive data between Automate agents and the central server. When agents are configured to communicate over unencrypted channels, any attacker on the same network segment—or with access to a compromised VPN—can intercept credentials, commands, and update payloads in transit. With Bitcoin trading above $107,000 and institutional crypto adoption accelerating, the potential for attackers to pivot through RMM infrastructure into exchange-connected systems represents a genuine systemic risk.
The second flaw, CVE-2025-11493 (CVSS 8.8), compounds the danger. Prior to the 2025.9 patch, ConnectWise Automate did not verify the cryptographic integrity of update packages delivered to endpoints. An attacker who has already established a man-in-the-middle position via CVE-2025-11492 can substitute legitimate updates with malicious payloads. These fraudulent packages execute with the full privileges of the Automate agent—often SYSTEM-level access on Windows machines.
Affected Systems
ConnectWise Automate is deployed by thousands of managed service providers globally, making the blast radius exceptionally wide. In the crypto sector, many exchanges, custody providers, and blockchain startups outsource their IT management to MSPs using tools like Automate. The attack chain requires no user interaction: once network access is obtained through ARP cache poisoning or VPN compromise, the entire fleet of managed endpoints becomes vulnerable to silent compromise.
MITRE ATT&CK mappings include T1557.002 (ARP Cache Poisoning), T1195.002 (Supply Chain Compromise), and T1040 (Network Sniffing). The attack is particularly dangerous because it bypasses traditional endpoint detection—the malicious code arrives through a trusted update channel.
The Mitigation Strategy
ConnectWise released version 2025.9 on October 16, 2025, which enforces HTTPS for all agent communications and adds cryptographic integrity verification for update packages. Organizations running on-premise Automate instances must upgrade immediately. Cloud-hosted instances receive the patch automatically, but verification is essential.
For crypto-specific environments, additional hardening measures are warranted: segment RMM traffic onto isolated VLANs, implement certificate pinning where possible, and deploy network intrusion detection to flag ARP spoofing attempts. Monitor for indicators of compromise including unauthorized update files, agent HTTP traffic, and anomalous process launches on managed endpoints.
Lessons Learned
This incident underscores a broader truth in crypto security: the weakest link is often not the blockchain protocol itself but the surrounding infrastructure. Smart contract audits and on-chain monitoring mean little if the server managing your hot wallet can be silently compromised through an RMM tool. The ConnectWise vulnerability proves that supply chain and infrastructure-layer attacks remain among the most potent threats to digital asset operations.
User Action Required
If your organization uses ConnectWise Automate or any RMM tool, verify the patch status immediately. Confirm all agent communications use HTTPS, review update logs for suspicious activity, and ensure network segmentation between RMM infrastructure and crypto operations. In a market where a single compromised private key can mean millions in losses, infrastructure security deserves the same rigor as protocol-level defense.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified cybersecurity professionals for your specific situation.
Education is still the biggest barrier to mainstream adoption
The fundamental value proposition of crypto keeps getting stronger
Bear markets are for building — and builders are delivering
Mass adoption is happening incrementally — people just don’t notice
CVE-2025-11492 with a 9.6 CVSS score means every MSP running unpatched Automate is basically handing attackers domain admin. crypto exchanges are just the juiciest targets on those networks
SYSTEM-level access through fraudulent update packages is a nightmare scenario. any crypto startup using MSPs needs to audit their RMM stack yesterday
the attack chain needs no user interaction. thats what makes this genuinely scary for any crypto operation managed by an MSP