CISA Alerts on ConnectWise ScreenConnect Authentication Vulnerability Actively Exploited

A critical improper authentication vulnerability has been discovered in ConnectWise ScreenConnect, tracked as CVE-2025-3935 and mapped to CWE-287 (Improper Authentication).

This flaw affects all ScreenConnect versions up to and including 25.2.3, exposing them to ViewState code injection attacks that could result in remote code execution (RCE) if machine keys are compromised.

Technical Details:

• ViewState in ASP.NET: ScreenConnect leverages ASP.NET Web Forms, which use ViewState to persist page and control state between requests. ViewState data is encoded in Base64 and protected by machine keys (ValidationKey and DecryptionKey).
• Attack Vector: If an attacker obtains the machine keys—requiring privileged system-level access—they can craft a malicious ViewState payload and send it via a POST request. Upon processing, the ASP.NET runtime decrypts and validates the ViewState, potentially executing attacker-supplied code on the server.
• Exploitability: The vulnerability is rated high severity (CVSS 8.1/10) and is considered a Priority 1 risk, meaning it is either actively targeted or at high risk of exploitation.

Vulnerability Summary Table

Real-World Impact and Threat Landscape

ScreenConnect is widely used for remote desktop access, IT support, and asset management, making it a valuable target for attackers.

While there is no confirmed evidence that this specific vulnerability has been used in ransomware campaigns, ConnectWise has reported incidents involving suspected state-sponsored actors exploiting the flaw in limited customer environments. 

In the past, ScreenConnect vulnerabilities have been leveraged for data theft and ransomware deployment.

Incident Timeline:

• December 2024: Microsoft Threat Intelligence observed in-the-wild misuse of publicly available ASP.NET machine keys to inject malicious code into servers, including ScreenConnect.
• April 2025: ConnectWise released version 25.2.4, which disables ViewState and removes its dependency, effectively patching the vulnerability.
• May 2025: ConnectWise disclosed that a sophisticated nation-state actor had breached its environment, affecting a small number of ScreenConnect customers.

Mitigation, Compliance, and Upgrade Guidance

ConnectWise has issued urgent guidance and patches to mitigate the vulnerability.

The company strongly recommends the following actions:

Mitigation Steps:

1. Patch Immediately: Upgrade to ScreenConnect version 25.2.4 or later. This update disables ViewState and removes its dependency, closing the attack vector.
2. Cloud Instances: No action is required for cloud-hosted ScreenConnect users on “screenconnect.com” or “hostedrmm.com,” as these platforms have already been updated.
3. On-Premises Instances: Manual upgrade is mandatory for all on-premises deployments running 25.2.3 or earlier. Free security patches are available for select older versions.
4. Security Hardening: After patching, reset administrator passwords, enable multi-factor authentication (MFA), and monitor for unusual activity.
5. Compliance: Follow CISA’s Binding Operational Directive (BOD) 22-01 for federal agencies, which mandates remediation of known exploited vulnerabilities by the assigned due date (June 23, 2025).

Upgrade Path Table

Key Codes and Terms:

• CVE-2025-3935: Vulnerability identifier for this flaw.
• CWE-287: Classification for Improper Authentication.
• ViewState: ASP.NET mechanism for state persistence.
• Machine Keys: Cryptographic keys (ValidationKey, DecryptionKey) used to secure ViewState.

Administrators are urged to apply patches immediately, verify remediation, and follow best practices for securing remote access infrastructure to prevent exploitation and potential compromise.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!