CVE-2025-7204 in PSA
Summary
by MITRE • 07/09/2025
In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sensitive user information. Specific API requests were found to return an overly verbose user object, which included encrypted password hashes for other users. Authenticated users could then retrieve these hashes.
An attacker or privileged user could then use these exposed hashes to conduct offline brute-force or dictionary attacks. Such attacks could lead to credential compromise, allowing unauthorized access to accounts, and potentially privilege escalation within the system.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2025
The vulnerability identified as CVE-2025-7204 affects ConnectWise PSA versions prior to 2025.9 and represents a critical information disclosure flaw that undermines the security posture of organizations relying on this platform for professional services automation. This vulnerability stems from improper access controls within the application's api endpoints, where authenticated users can exploit a design flaw to retrieve sensitive user data through overly verbose response objects. The flaw specifically manifests when certain api requests return complete user objects containing encrypted password hashes that should not be accessible to other users within the system.
The technical implementation of this vulnerability aligns with CWE-200, which addresses improper exposure of sensitive information, and CWE-352, concerning cross-site request forgery, as the flaw enables unauthorized data access through legitimate authenticated sessions. The vulnerability operates under the principle of least privilege violation, where the system fails to properly enforce access controls that should restrict user data access based on role and authorization levels. When authenticated users make specific api calls, the system responds with comprehensive user objects that include cryptographic hashes of passwords for other users in the system, effectively creating an information leakage channel.
The operational impact of CVE-2025-7204 extends beyond simple data exposure, as it provides attackers with the foundation for credential compromise through offline brute-force or dictionary attacks. This vulnerability creates a pathway for attackers to obtain password hashes that can then be processed through various attack vectors including rainbow table lookups, distributed computing attacks, or specialized password cracking tools. The exposed hashes represent a significant risk to organizational security since they allow for account takeover attempts without requiring network-based attacks or session hijacking techniques. The potential for privilege escalation exists when attackers successfully compromise user accounts, particularly if those accounts possess administrative or elevated privileges within the ConnectWise PSA environment.
Organizations affected by this vulnerability should implement immediate mitigations including upgrading to ConnectWise PSA version 2025.9 or later, which contains the necessary security patches to address the improper access control implementation. Network segmentation and monitoring should be enhanced to detect unusual api request patterns that might indicate exploitation attempts. Additionally, security teams should conduct comprehensive user access reviews to identify and remediate any unauthorized access that may have occurred. The mitigation strategy should also include implementing stronger password policies and multi-factor authentication to reduce the impact of credential compromise if attackers successfully exploit this vulnerability. From an att&ck framework perspective, this vulnerability maps to technique t1078.004 for valid accounts and t1110 for credential access, emphasizing the need for both preventive and detective security controls to address the exposure risk.