CVE-2025-3935
published 2025-04-25CVE-2025-3935: ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page…
PriorityP180high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-06-23
Exploited in the wild
EPSS
3.29%
87.0th percentile
ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.
It is important to note that to obtain these machine keys, privileged system level access must be obtained.
If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.
The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| connectwise | screenconnect | < 25.2.4 | 25.2.4 |
| connectwise | screenconnect | — | — |
| msrc | cm1_pgbouncer_1.16.1-1_on_cbl_mariner_1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor ScreenConnect servers for suspicious ViewState payloads — malicious Base64-encoded ViewState data crafted using stolen machine keys may indicate exploitation of CVE-2025-3935 ↗
- →Threat actors require privileged system-level access to steal ASP.NET machine keys before exploiting this vulnerability; monitor for privilege escalation or unauthorized access to ScreenConnect server configuration files containing machine key material ↗
- →Focus detection on cloud-hosted ScreenConnect instances at screenconnect.com and hostedrmm.com, as the confirmed breach only impacted cloud-hosted deployments ↗
- →Check logs for unusual authentication activity and review access to configuration files and secrets on ScreenConnect servers, as recommended by ConnectWise in response to related machine key abuse ↗
- →CVE-2025-3935 is listed in CISA KEV; federal agencies must apply mitigations or discontinue use by June 23 — treat any unpatched ScreenConnect ≤25.2.3 instance as actively targeted ↗
- ·Exploitation requires prior privileged system-level access to obtain ASP.NET machine keys; this is a precondition, not a standalone remote vulnerability ↗
- ·ScreenConnect Client (host/guest) is not impacted — only the server component is affected ↗
- ·ConnectWise has not confirmed CVE-2025-3935 as the specific attack vector used in the nation-state breach, and has not released IOCs ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
cisa7.2HIGH
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
ConnectWise ScreenConnect Improper Authentication Vulnerability
cisa·2025-06-02·CVSS 7.2
CVE-2025-3935 [HIGH] CWE-287 ConnectWise ScreenConnect Improper Authentication Vulnerability
Vulnerability: ConnectWise ScreenConnect Improper Authentication Vulnerability
Affected: ConnectWise ScreenConnect
ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4 ; https://nvd.nist.gov/vuln/detail/CVE-2025-3935
Remediation Due Date: 2025-06-23
Microsoft
When PgBouncer is configured to use "cert" authentication a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established despite the use of TLS certificate verifi
vendor_msrc·2021-11-09·CVSS 8.1
CVE-2021-3935 [HIGH] CWE-295 When PgBouncer is configured to use "cert" authentication a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established despite the use of TLS certificate verifi
When PgBouncer is configured to use "cert" authentication a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more inf
GHSA
GHSA-qjrp-xr9r-wmrg: ScreenConnect versions 25
ghsa_unreviewed·2025-04-25
CVE-2025-3935 [HIGH] CWE-287 GHSA-qjrp-xr9r-wmrg: ScreenConnect versions 25
ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.
It is important to note that to obtain these machine keys, privileged system level access must be obtained.
If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.
The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.
VulnCheck
ConnectWise ScreenConnect Improper Authentication Vulnerability
vulncheck·2025·CVSS 8.1
CVE-2025-3935 [HIGH] CWE-287 ConnectWise ScreenConnect Improper Authentication Vulnerability
ConnectWise ScreenConnect Improper Authentication Vulnerability
ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.
Affected: ConnectWise ScreenConnect
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://thehackernews.com/2025/05/connectwise-hit-by-cyberattack-nation.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://falconfeeds.io/blogs/unmasking-handala-iran-cyber-threat-psyops; https://www.withsecure.com/content/d
No detection rules found.
No public exploits indexed.
Bleepingcomputer
ConnectWise patches new flaw allowing ScreenConnect hijacking
blogs_bleepingcomputer·2026-03-18·CVSS 9.0
CVE-2026-3564 [CRITICAL] ConnectWise patches new flaw allowing ScreenConnect hijacking
## ConnectWise patches new flaw allowing ScreenConnect hijacking
## Bill Toulas
ConnectWise is warning ScreenConnect customers of a cryptographic signature verification vulnerability that could lead to unauthorized access and privilege escalation.
The flaw affects ScreenConnect versions before 26.1. It is tracked as CVE-2026-3564 and received a critical severity score.
ScreenConnect is a remote access platform typically used by managed service providers (MSPs), IT departments, and support teams. It can be either cloud-hosted by ConnectWise or on-premise on the customer's server.
An attacker could exploit the security issue to extract and use the ASP.NET machine keys for unauthorized session authentication.
“If the machine key material for a ScreenConnect instance is disclosed, a thre
Bleepingcomputer
CISA warns of ConnectWise ScreenConnect bug exploited in attacks
blogs_bleepingcomputer·2025-06-03·CVSS 9.8
[CRITICAL] CISA warns of ConnectWise ScreenConnect bug exploited in attacks
## CISA warns of ConnectWise ScreenConnect bug exploited in attacks
## Ionut Ilascu
CISA is alerting federal agencies in the U.S. of hackers exploiting a recently patched ScreenConnect vulnerability that could lead to executing remote code on the server.
The agency is warning that four other security problems affecting ASUS routers and the Craft content management system (CMS) are also actively exploited.
## Improper authentication in ConnectWise ScreenConnect
On April 24, ConnectWise addressed the security issue, tracked as CVE-2025-3935, stating that the vulnerability could be exploited for a ViewState code injection attack.
The vendor notes that ASP.NET Web Forms rely on the ViewState component to preserve page and control state using base64-encoded data that is protected by machi
Bleepingcomputer
ConnectWise breached in cyberattack linked to nation-state hackers
blogs_bleepingcomputer·2025-05-29
ConnectWise breached in cyberattack linked to nation-state hackers
## ConnectWise breached in cyberattack linked to nation-state hackers
## Lawrence Abrams
IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customers.
"ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers," ConnectWise shared in a brief advisory .
"We have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all affected customers and are coordinating with law enforcement."
ConnectWise is a Florida-based software company that provides IT management, RMM (remote monitoring and management), cybe
Wiz
CVE-2025-14265 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-14265 [CRITICAL] CVE-2025-14265 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14265 :
ScreenConnect Server vulnerability analysis and mitigation
In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.
Source : NVD
## 9.1
Score
Published December 11, 2025
Severity CRITICAL
CNA Score 9.
Wiz
CVE-2025-14823 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-14823 [CRITICAL] CVE-2025-14823 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14823 :
ScreenConnect Server vulnerability analysis and mitigation
In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components.
Source : NVD
## 5.3
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 5.3
Affected Tec
Wiz
CVE-2026-3564 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-3564 [CRITICAL] CVE-2026-3564 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3564 :
ScreenConnect Server vulnerability analysis and mitigation
A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.
Source : NVD
## 9
Score
Published March 17, 2026
Severity CRITICAL
CNA Score 9.0
Affected Technologies
ScreenConnect Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:connectwise:screenconnect
Sources
NVD
Linux Severity CRITICAL Has Fix Added at: Mar 19, 2026
Windows Severity CRITICAL Has Fix Added at: Mar 19, 20
2025-04-25
Published
2025-06-02
Added to CISA KEV
Exploited in the wild