ConnectWise has identified a critical vulnerability (CVE-2026-3564) within the ScreenConnect remote access platform, which is widely utilized by managed service providers, IT departments, and technology solution providers. This flaw can potentially allow attackers to hijack ScreenConnect sessions by exploiting weaknesses in ASP.NET machine keys, enabling them to forge trusted authentication without requiring user interaction.
About CVE-2026-3564
The vulnerability arises from improper verification of cryptographic signatures and affects all versions of ScreenConnect prior to version 26.1. Attackers can remotely exploit this vulnerability, posing a significant risk to users who have not yet updated their systems.
According to ConnectWise, earlier versions of ScreenConnect stored unique ASP.NET machine keys in server configuration files. Under certain conditions, this allowed unauthorized actors to extract these keys and misuse them for session authentication. Once an attacker hijacks a session, they can perform unauthorized actions within the ScreenConnect instance, which may include accessing employee computers, executing commands, or installing malware.
“ScreenConnect version 26.1 introduces enhanced protections for machine key handling, including encrypted storage and management, significantly reducing the risk of unauthorized access in scenarios where server integrity may be compromised,” ConnectWise stated. The updated version also provides administrators the capability to easily regenerate cryptographic material for their instances.
What Should Users Do?
In a related advisory, ConnectWise has indicated that security researchers have observed attempts to exploit the disclosed ASP.NET machine key material. However, the company has not confirmed any active exploitation of CVE-2026-3564 in the instances of ScreenConnect it hosts in the cloud. A spokesperson urged researchers who suspect active exploitation to engage in responsible disclosure so that findings can be validated and addressed promptly.
ConnectWise released ScreenConnect version 26.1 last week, alongside updates to server instances hosted in its cloud environment. Users operating on-premises or self-hosted instances are strongly encouraged to upgrade their systems as soon as possible to mitigate the risks associated with this vulnerability.
Organizations should also conduct thorough checks for any signs of prior compromise, including unusual authentication activities and unexpected administrative actions evident in the ScreenConnect logs. To further enhance security, ConnectWise advises the following:
- Review instance-level and server-level access controls to restrict access to sensitive application configurations and secrets.
- Ensure that access to backups, exported configuration archives, and historical snapshots is limited to trusted users and systems.
- Utilize only trusted and supported extensions, and keep them regularly updated.
As the cybersecurity landscape continues to evolve, staying informed of vulnerabilities and ensuring prompt updates is critical for maintaining the security of remote access solutions like ScreenConnect.
Subscribe to our breaking news e-mail alert to stay updated on the latest breaches, vulnerabilities, and cybersecurity threats.
Source: Help Net Security News