Summary
ConnectWise has released an urgent security patch for its ScreenConnect remote access software to address a critical vulnerability, tracked as CVE-2025-3935, that could allow attackers to execute malicious code on affected systems. This vulnerability, tracked under CWE-287 (Improper Authentication), affects all ScreenConnect versions up to 25.2.3 and is susceptible to ViewState code injection attacks, earning a high severity CVSS score of 8.1/10.
The flaw exploits the way ASP.NET Web Forms handle ViewState, a mechanism for preserving state between server requests. ViewState data is encoded using Base64 and protected by machine keys, which require privileged system-level access to compromise. If these keys are compromised, attackers could inject malicious ViewState data into vulnerable ScreenConnect sites, potentially enabling remote code execution (RCE) on the server. This issue could affect any product utilizing the ASP.NET framework ViewStates, not just ScreenConnect.
ConnectWise has rolled out a patch that addresses the vulnerability by disabling ViewState and removing its dependency. Cloud-based users on platforms like “screenconnect[.]com” or “hostedrmm[.]com” for Automate partners have already been updated. On-premises users must manually upgrade, especially if using version 25.2.3 or earlier. Free security patches are available for select older versions dating back to release 23.9.
This vulnerability highlights ongoing security challenges in remote access software amidst growing distributed work environments. CTIX analysts strongly urge all organizations using ScreenConnect to implement the patched version immediately to protect their infrastructure from potential exploitation.
Vulnerability Detailssing versions 25.2.3 or earlier.
- ConnectWise has released a security patch for ScreenConnect to address a critical vulnerability, CVE-2025-3935.
- The vulnerability allows attackers to execute malicious code on affected systems through ViewState code injection attacks.
- It is identified under CWE-287 (Improper Authentication) with a high severity CVSS score of 8.1/10.
- The issue affects how ASP.NET Web Forms handle ViewState data, which is encoded using Base64 and protected by machine keys.
Affected Versions & Exploitation Risk
- All ScreenConnect versions up to and including 25.2.3 are affected.
- The vulnerability requires privileged system-level access to compromise machine keys, allowing malicious ViewState data injection.
- ScreenConnect is not the only product at risk; any product utilizing ASP.NET framework ViewStates could be impacted.
Research & Exploitability
- Security researchers discovered the susceptibility to ViewState code injection attacks in ScreenConnect versions 25.2.3 and earlier.
- Microsoft previously warned about similar ViewState code injection patterns, with over 3,000 publicly disclosed keys identified as potential risks.
- The vulnerability is actively targeted or at high risk of exploitation, following a pattern of previous attacks on ScreenConnect.
Mitigations and Recommendations
- ConnectWise has released ScreenConnect version 25.2.4, which addresses the vulnerability by disabling ViewState.
- Cloud-based users on “screenconnect[.]com” and “hostedrmm[.]com” have been updated automatically.
- On-premises users are urged to upgrade to version 25.2.4, especially if using versions 25.2.3 or earlier.
- The upgrade path is 22.8 → 23.3 → 25.2.4.
- Free security patches are available for select older versions dating back to release 23.9.
- Users with expired maintenance licenses should renew them to facilitate upgrades.
- All on-premises partners should assess their systems for signs of compromise before bringing them online.
- In case of suspected compromise, follow standard incident response procedures, including server isolation and backup creation.
- ConnectWise provides support for upgrade-related inquiries to assist partners in maintaining robust security.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
