ConnectWise has released an emergency patch for a critical vulnerability (CVE-2026-3564) in its ScreenConnect remote access platform that could allow unauthenticated attackers to hijack legitimate sessions by forging authentication credentials using extracted ASP.NET machine keys.
Understanding the Vulnerability
The flaw affects all versions of ScreenConnect before version 26.1 and stems from improper verification of cryptographic signatures. Earlier versions stored unique ASP.NET machine keys per instance within server configuration files, which under certain conditions could allow unauthorized actors to extract this material and misuse it for session authentication.
Key technical details:
- Exploitable remotely by unauthenticated attackers
- No user interaction required
- Affects on-premises and self-hosted instances
- Cloud-hosted instances have already been patched by ConnectWise
Attack Impact
Once an attacker successfully hijacks a ScreenConnect session, they gain the same privileges as the legitimate user. Since ScreenConnect is widely used for managing remote devices, attackers could:
- Open remote sessions to employee computers
- Execute arbitrary commands
- Install malware and backdoors
- Exfiltrate sensitive data
- Move laterally through the network
Why This Matters
ScreenConnect is a critical tool for managed service providers (MSPs), IT departments, and technology solution providers. A compromised ScreenConnect instance can serve as a gateway to hundreds or thousands of client endpoints. This type of supply chain attack vector has proven devastating in past incidents.
ConnectWise has confirmed that security researchers have observed attempts to abuse disclosed ASP.NET machine key material, though the company stated it has no evidence of exploitation in ConnectWise-hosted environments.
Recommended Actions
Immediate steps organizations should take:
- Upgrade to ScreenConnect v26.1 immediately for on-premises and self-hosted instances
- Review ScreenConnect logs for unusual authentication activity
- Check for unexpected administrative actions
- Regenerate cryptographic material using the new version’s built-in tools
- Restrict access to application configuration files and secrets
- Limit access to backups and configuration archives
- Audit and update all installed extensions
For more details, see the full advisory from Help Net Security.
