ARTICLE
7 May 2025

ScreenConnect Users Advised To Patch Critical Vulnerability Letting Attackers Inject Malicious Code

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group LLC logo
Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Explore Firm Details
ConnectWise has released an urgent security patch for its ScreenConnect remote access software to address a critical vulnerability...
United States Technology
Pierre Jeppsson

Summary

ConnectWise has released an urgent security patch for its ScreenConnect remote access software to address a critical vulnerability, tracked as CVE-2025-3935, that could allow attackers to execute malicious code on affected systems. This vulnerability, tracked under CWE-287 (Improper Authentication), affects all ScreenConnect versions up to 25.2.3 and is susceptible to ViewState code injection attacks, earning a high severity CVSS score of 8.1/10.

The flaw exploits the way ASP.NET Web Forms handle ViewState, a mechanism for preserving state between server requests. ViewState data is encoded using Base64 and protected by machine keys, which require privileged system-level access to compromise. If these keys are compromised, attackers could inject malicious ViewState data into vulnerable ScreenConnect sites, potentially enabling remote code execution (RCE) on the server. This issue could affect any product utilizing the ASP.NET framework ViewStates, not just ScreenConnect.

ConnectWise has rolled out a patch that addresses the vulnerability by disabling ViewState and removing its dependency. Cloud-based users on platforms like "screenconnect[.]com" or "hostedrmm[.]com" for Automate partners have already been updated. On-premises users must manually upgrade, especially if using version 25.2.3 or earlier. Free security patches are available for select older versions dating back to release 23.9.

This vulnerability highlights ongoing security challenges in remote access software amidst growing distributed work environments. CTIX analysts strongly urge all organizations using ScreenConnect to implement the patched version immediately to protect their infrastructure from potential exploitation.

Vulnerability Detailssing versions 25.2.3 or earlier.

  • ConnectWise has released a security patch for ScreenConnect to address a critical vulnerability, CVE-2025-3935.
  • The vulnerability allows attackers to execute malicious code on affected systems through ViewState code injection attacks.
  • It is identified under CWE-287 (Improper Authentication) with a high severity CVSS score of 8.1/10.
  • The issue affects how ASP.NET Web Forms handle ViewState data, which is encoded using Base64 and protected by machine keys.

Affected Versions & Exploitation Risk

  • All ScreenConnect versions up to and including 25.2.3 are affected.
  • The vulnerability requires privileged system-level access to compromise machine keys, allowing malicious ViewState data injection.
  • ScreenConnect is not the only product at risk; any product utilizing ASP.NET framework ViewStates could be impacted.

Research & Exploitability

  • Security researchers discovered the susceptibility to ViewState code injection attacks in ScreenConnect versions 25.2.3 and earlier.
  • Microsoft previously warned about similar ViewState code injection patterns, with over 3,000 publicly disclosed keys identified as potential risks.
  • The vulnerability is actively targeted or at high risk of exploitation, following a pattern of previous attacks on ScreenConnect.

Mitigations and Recommendations

  1. ConnectWise has released ScreenConnect version 25.2.4, which addresses the vulnerability by disabling ViewState.
  2. Cloud-based users on "screenconnect[.]com" and "hostedrmm[.]com" have been updated automatically.
  3. On-premises users are urged to upgrade to version 25.2.4, especially if using versions 25.2.3 or earlier.
    • The upgrade path is 22.8 → 23.3 → 25.2.4.
  4. Free security patches are available for select older versions dating back to release 23.9.
  5. Users with expired maintenance licenses should renew them to facilitate upgrades.
  6. All on-premises partners should assess their systems for signs of compromise before bringing them online.
  7. In case of suspected compromise, follow standard incident response procedures, including server isolation and backup creation.
  8. ConnectWise provides support for upgrade-related inquiries to assist partners in maintaining robust security.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Pierre Jeppsson
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More