Security advisory: Windows agent certificate rotation and installer hardening

Atera’s commitment

At Atera, we are committed to continuously strengthening our defenses. As part of this effort, we are hardening our installers to prevent unauthorized use. Most importantly, there has been no compromise to Atera’s systems, customers, or certificates, these steps are purely preventive to maintain security and trust.

Context

Across the industry, the number of threat actors looking to leverage and abuse legitimate leading platforms is on the rise, and this is just one of the ways we are staying ahead. We will require all users to utilize the new Atera Windows agent installer with the most up-to-date security certificate and features.

Security and trust are our top priorities. Today, we’re announcing a preventive security enhancement for all Windows agents used by Atera customers, encompassing both production and trial instances. This update involves rotating our digital signing certificates and introducing enhanced installer security measures to maintain integrity and trust.

This advisory applies to:

• All paying Atera customers
  
• All Windows agent installations in trial accounts

What’s changing and why

1. Certificate rotation
   Outdated certificates have been revoked in coordination with our issuing authority and replaced with newly issued certificates. This is a proactive measure to maintain our high-security standards, prevent misuse and not in response to any compromise.
   
2. Installer hardening
   The updated Windows MSI installer includes additional safeguards:
   
   • User acknowledgment: The installer now demands deliberate consent during installation.
     
   • Token validation: Under certain circumstances, a one-time unique installation token will be required to complete the setup.
     

Impacted installations and actions required

• New installations
  Moving forward, as of now, you must use our new updated MSI installer

• Old installer files
  Any old locally-stored installers, or those embedded in deployment pipelines, must be replaced by August 30 to avoid failed installs or disruptions.
  
• Existing devices with Windows agents
  The Atera agents will automatically upgrade in the background (no user intervention needed), provided devices have continuous network access. However, if the upgrade is not completed by August 30, 2025, devices will require a manual reinstall.
• Resources:
  Atera KB article for step-by-step instructions. 

If you need additional assistance, please contact our support team via live support chat.

Thank you for your partnership and for prioritizing trust and security with us.

Noam Vander, Chief Information Security Officer