ConnectWise Implements Enhanced Code Signing Certificate Rotation to Address Security Vulnerabilities

ConnectWise is notifying its customers about the upcoming rotation of digital code signing certificates for its ScreenConnect, ConnectWise Automate, and ConnectWise RMM executables due to security concerns.

Digital certificates play a crucial role in validating executables, assuring users that the files originate from a verified source and remain unaltered during transmission.

This proactive measure was initiated following alerts from a third-party security researcher regarding potential vulnerabilities related to specific configuration data that could be exploited by malicious actors.

ConnectWise stated in correspondence reviewed that, “We are updating the digital signing certificates used in ConnectWise ScreenConnect, Automate, and RMM due to concerns raised by a third-party researcher about how ScreenConnect could potentially be misused by a bad actor.” The communication emphasized that the misuse pertains to a configuration handling issue within the ScreenConnect installer, necessitating system-level access.

It is important to clarify that this initiative is not a response to any security incidents, notably disassociating it from a recent cyberattack attributed to nation-state actors.

Moreover, in conjunction with the issuance of new certificates, ConnectWise will roll out updates aimed at enhancing the management of configuration data in ScreenConnect, reflecting a commitment to improving security measures.

The digital certificates under discussion originate from DigiCert, which was initially scheduled to revoke ConnectWise’s certificates on June 10, 2025, at 10:00 PM ET. However, ConnectWise successfully negotiated an extension until June 13, 2025, at 8:00 PM ET, likely due to the pending availability of ScreenConnect version 25.4 incorporating the new certificates.

This certificate rotation will affect both on-premises and cloud users, necessitating awareness of the deadline to mitigate potential operational disruptions.

ConnectWise has confirmed that the update for Automate is already available, with the ScreenConnect build expected to be released shortly.

Users are encouraged to access the vendor’s resources to download the latest builds along with relevant instructions and FAQs.

For those utilizing cloud-hosted versions of Automate, ScreenConnect, or RMM, ConnectWise will implement updates for certificates and agents automatically; however, this rollout will occur gradually.

Nonetheless, these users are advised to verify that their agent versions are current prior to the June 13 deadline to ensure continuous service delivery.

While ConnectWise has not elaborated on the reasons behind the certificate rotation, prior warnings from security researchers, including Andrew Brandt from Sophos, highlighted that threat actors were leveraging phishing sites to distribute pre-configured ConnectWise clients disguised as Social Security statements.

Brandt elaborated that “a spammer has been delivering a ConnectWise commercial remote access client application as a payload in a scam that uses the purported arrival of a US Social Security statement as its hook.” This approach adds an additional layer of trust to potentially malicious executables, as they appeared to be digitally signed.

The correlation between these attacks and the decision to rotate the code signing certificates remains unclear. Efforts to gain further clarification from ConnectWise regarding this matter were met with a referral back to the company’s advisory.