Cyber Resilience

CVE-2026-9089

High

Published: 21 May 2026

Published
21 May 2026
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 22.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-9089 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Connectwise Automate. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

CWE-494 (Download of Code Without Integrity Check) on plugin/self-update flows directly enables compromise of the software supply chain by allowing attacker-controlled components to be loaded and executed.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6066Same product: Connectwise Automate
CVE-2025-15556Shared CWE-494
CVE-2026-0695Same vendor: Connectwise
CVE-2026-3502Shared CWE-494
CVE-2026-27180Shared CWE-494
CVE-2026-2999Shared CWE-494
CVE-2025-69263Shared CWE-494
CVE-2026-3000Shared CWE-494
CVE-2025-1058Shared CWE-494
CVE-2026-40066Shared CWE-494

Affected Assets

connectwise
automate
≤ 2026.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-494

Policies can require integrity verification of software prior to installation, reducing risks from unverified downloads.

addresses: CWE-494

Blocks installation of components lacking a valid signature, mitigating download or installation of code without integrity checks.

addresses: CWE-494

Acquisition and maintenance portions of the strategy drive requirements for integrity verification of downloaded or supplied code.

addresses: CWE-494

Mandating integrity control and approved-only changes during development prevents incorporation of code or components lacking integrity validation.

addresses: CWE-494

Supply chain protection requires integrity verification of acquired components, directly reducing insertion or tampering of malicious code during delivery.

addresses: CWE-494

Reduces exposure to code obtained without integrity verification by requiring assurance processes that confirm authenticity and absence of tampering.

addresses: CWE-494

Tamper resistance and detection commonly include integrity verification of code and firmware obtained from external sources.

addresses: CWE-494

Component authenticity requires verifying origin/integrity of acquired firmware or software, directly preventing inclusion of code without integrity checks.

References