ConnectWise Automate Flaw Allows Attackers To Bypass Security Checks

ConnectWise disclosed CVE-2026-9089, a critical integrity-check flaw in the Automate agent’s plugin loading and self-update processes (CWE-494) with a CVSS 3.1 base score of 8.8; an adjacent-network attacker with no privileges or user interaction could substitute components to achieve high-impact remote code execution, posing a significant supply-chain risk to MSPs. Cloud instances were auto-updated; on-premises administrators must manually apply Automate 2026.5 which implements enhanced integrity verification—security teams are advised to prioritize patching given the history of similar weaponized CVEs.