ScreenConnect Vulnerability Patched by ConnectWise After Hijacking Threat

ConnectWise Warns of Critical Vulnerability in ScreenConnect Leading to Unauthorized Access

ConnectWise has issued a warning to ScreenConnect users regarding a significant cryptographic signature verification vulnerability that could potentially result in unauthorized access and privilege escalation.

The vulnerability impacts ScreenConnect versions prior to 26.1 and has been identified as CVE-2026-3564, receiving a critical severity score.

ScreenConnect, a remote access platform commonly utilized by managed service providers (MSPs), IT departments, and support teams, can be either cloud-hosted by ConnectWise or deployed on-premise on the customer’s server.

Exploiting this security flaw could allow an attacker to extract and utilize ASP.NET machine keys for unauthorized session authentication.

The vendor’s advisory states, “If the machine key material for a ScreenConnect instance is disclosed, a threat actor may be able to generate or modify protected values in ways that may be accepted by the instance as valid, potentially resulting in unauthorized access and actions within ScreenConnect.”

To address this vulnerability, ConnectWise has implemented enhanced protection for machine keys, including encrypted storage and improved handling in ScreenConnect version 26.1.

While cloud users have been automatically transitioned to the secure version, administrators managing on-premises deployments are urged to upgrade to version 26.1 promptly.

ConnectWise has noted attempts to exploit disclosed ASP.NET machine key material in the wild, emphasizing the current tangible risk posed by CVE-2026-3564.

Despite these attempts, the vendor has not identified any active exploitation in the wild as of the latest update and has no indicators of compromise (IoCs) to provide to defenders.

ConnectWise encourages researchers who suspect active exploitation to engage in responsible disclosure for proper validation and resolution.

Reports suggest that Chinese hackers may have been exploiting similar vulnerabilities for years, although it remains uncertain if the same security flaw was utilized.

In the past, nation-state hackers have targeted vulnerabilities like CVE-2025-3935 to steal the secret machine keys used by ScreenConnect servers.

Protective Measures and Recommendations

In addition to upgrading to ScreenConnect version 26.1, ConnectWise advises tightening access to configuration files and secrets, monitoring logs for unusual authentication activity, securing backups and old data snapshots, and ensuring extensions are kept up to date.

Malware is evolving. The Red Report 2026 uncovers how new threats leverage mathematics to evade detection and blend in seamlessly.

Access our analysis of 1.1 million malicious samples to discover the top 10 techniques and assess the effectiveness of your security measures.

Download The Report