CVE-2025-7204
BaseFortify
Publication date: 2025-07-09
Last updated on: 2025-08-20
Assigner: ConnectWise
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| connectwise | professional_service_automation | to 2025.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ConnectWise PSA versions older than 2025.9, where authenticated users can access sensitive user information through specific API requests. These requests return an overly verbose user object that includes encrypted password hashes of other users. An attacker or privileged user can retrieve these hashes and attempt offline brute-force or dictionary attacks to compromise credentials.
How can this vulnerability impact me? :
The vulnerability can lead to credential compromise by allowing attackers to obtain encrypted password hashes and perform offline attacks. This can result in unauthorized access to user accounts and potentially privilege escalation within the system, increasing the risk of further exploitation or data breaches.