Ethical Hacking News
ScreenConnect users are advised to upgrade to version 26.1 immediately following a patch release by ConnectWise addressing a critical vulnerability that could allow hijacking of their platforms. The fix is available for both cloud-hosted and on-premises deployments, with automated upgrades provided for cloud users.
A critical cryptographic signature verification vulnerability (CVE-2026-3564) has been patched in ConnectWise's ScreenConnect platform. The vulnerability allows attackers to obtain machine keys, which can be used to generate or modify protected values and lead to unauthorized access. Cloud users have been automatically upgraded to a safer version (26.1), while on-premises administrators are advised to upgrade as soon as possible. R researchers have observed attempts to abuse disclosed ASP.NET machine key material in recent years, although it's unclear if this was exploited in the same way. ConnectWise recommends taking additional measures to protect against this vulnerability, including tightening access to configuration files and secrets, checking logs for unusual authentication activity, protecting backups and old data snapshots, and keeping extensions up to date.
ConnectWise, a leading provider of remote access solutions, has recently issued a patch to address a critical cryptographic signature verification vulnerability in its ScreenConnect platform. This vulnerability, identified as CVE-2026-3564 and tracked as CVSS v3.0 (High), poses significant risks to users who employ the ScreenConnect service for managed service providers (MSPs), IT departments, and support teams.
The issue arises from a flaw in the way that ScreenConnect handles machine keys, which are used to authenticate sessions. According to ConnectWise, if an attacker can obtain the machine key material for a ScreenConnect instance, they may be able to generate or modify protected values in ways that could be accepted as valid by the instance, leading to unauthorized access and actions within the platform.
To mitigate this risk, ConnectWise has updated its ScreenConnect software to include stronger protection for machine keys, including encrypted storage and improved handling of these values starting from version 26.1. Cloud users have been automatically upgraded to this safe version, while system administrators managing on-premises deployments are advised to upgrade as soon as possible.
While the vendor claims that it has no evidence of active exploitation in the wild at the time of writing, researchers have observed attempts to abuse disclosed ASP.NET machine key material in recent years. It is unclear whether the same security flaw was leveraged in this instance or if separate attacks were conducted.
In past cases, attackers have exploited CVE-2025-3935 to steal secret machine keys used by ScreenConnect servers, illustrating the potential for significant damage when such vulnerabilities are exploited.
Apart from patching ScreenConnect version 26.1, ConnectWise recommends several additional measures to protect against this vulnerability:
1. Tightening access to configuration files and secrets
2. Checking logs for unusual authentication activity
3. Protecting backups and old data snapshots
4. Keeping extensions up to date
These precautions are aimed at minimizing the risk of unauthorized access and actions within ScreenConnect, thereby safeguarding the integrity of remote access operations.
Related Information:
https://www.ethicalhackingnews.com/articles/ScreenConnect-Users-Scramble-as-ConnectWise-Patches-Critical-Flaw-Allowing-Remote-Access-Hijacking-ehn.shtml
https://www.bleepingcomputer.com/news/security/connectwise-patches-new-flaw-allowing-screenconnect-hijacking/
https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch
https://nvd.nist.gov/vuln/detail/CVE-2025-3935
https://www.cvedetails.com/cve/CVE-2025-3935/
https://nvd.nist.gov/vuln/detail/CVE-2026-3564
https://www.cvedetails.com/cve/CVE-2026-3564/
Published: Wed Mar 18 13:24:57 2026 by llama3.2 3B Q4_K_M
