ConnectWise is warning ScreenConnect prospects of a cryptographic signature verification vulnerability that might result in unauthorized entry and privilege escalation.
The flaw impacts ScreenConnect variations earlier than 26.1. It’s tracked as CVE-2026-3564 and obtained a essential severity rating.
ScreenConnect is a distant entry platform sometimes utilized by managed service suppliers (MSPs), IT departments, and assist groups. It may be both cloud-hosted by ConnectWise or on-premise on the shopper’s server.
An attacker might exploit the security challenge to extract and use the ASP.NET machine keys for unauthorized session authentication.
“If the machine key materials for a ScreenConnect occasion is disclosed, a menace actor might be able to generate or modify protected values in methods that could be accepted by the occasion as legitimate,” reads the seller’s advisory.
“This may end up in unauthorized entry and unauthorized actions inside ScreenConnect.”
The seller addressed this by including stronger safety for machine keys, together with encrypted storage and improved dealing with beginning ScreenConnect model 26.1.
Cloud customers have been mechanically moved to the protected model, however system directors managing on-premises deployments should improve to model 26.1 as quickly as doable.
ConnectWise additionally said that researchers noticed makes an attempt to abuse disclosed ASP.NET machine key materials within the wild, so the chance from CVE-2026-3564 is tangible proper now.
Nonetheless, the seller instructed BleepingComputer that it has no proof of energetic exploitation within the wild as of writing, and due to this fact has no indicators of compromise (IoCs) to share with defenders.
“We do not need proof that this particular vulnerability (CVE-2026-3564) was exploited in ConnectWise-hosted ScreenConnect, so we do not need any confirmed IOCs to share,” said ConnectWise to BleepingComputer.
“We encourage any researchers who consider they’ve recognized energetic exploitation to interact in accountable disclosure so findings could be validated and addressed appropriately.”
Nonetheless, there are claims that the difficulty has been actively exploited by Chinese language hackers for years, however it’s unclear if the identical security flaw was leveraged.
There have been previously assaults from nation-state hackers that exploited CVE-2025-3935 to steal the key machine keys utilized by a ScreenConnect server.
Other than upgrading to ScreenConnect model 26.1, the software program vendor additionally recommends tightening entry to configuration recordsdata and secrets and techniques, checking logs for uncommon authentication exercise, defending backups and previous information snapshots, and conserving extensions updated.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your security stack is blinded.
