cbcvebase.
CVE-2025-3935
published 2025-04-25

CVE-2025-3935: ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page…

PriorityP180high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-06-23
Exploited in the wild
EPSS
3.29%
87.0th percentile
ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.

Affected

3 ranges
VendorProductVersion rangeFixed in
connectwisescreenconnect< 25.2.425.2.4
connectwisescreenconnect
msrccm1_pgbouncer_1.16.1-1_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor ScreenConnect servers for suspicious ViewState payloads — malicious Base64-encoded ViewState data crafted using stolen machine keys may indicate exploitation of CVE-2025-3935
  • Threat actors require privileged system-level access to steal ASP.NET machine keys before exploiting this vulnerability; monitor for privilege escalation or unauthorized access to ScreenConnect server configuration files containing machine key material
  • Focus detection on cloud-hosted ScreenConnect instances at screenconnect.com and hostedrmm.com, as the confirmed breach only impacted cloud-hosted deployments
  • Check logs for unusual authentication activity and review access to configuration files and secrets on ScreenConnect servers, as recommended by ConnectWise in response to related machine key abuse
  • CVE-2025-3935 is listed in CISA KEV; federal agencies must apply mitigations or discontinue use by June 23 — treat any unpatched ScreenConnect ≤25.2.3 instance as actively targeted
  • ·Exploitation requires prior privileged system-level access to obtain ASP.NET machine keys; this is a precondition, not a standalone remote vulnerability
  • ·ScreenConnect Client (host/guest) is not impacted — only the server component is affected
  • ·ConnectWise has not confirmed CVE-2025-3935 as the specific attack vector used in the nation-state breach, and has not released IOCs

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
cisa7.2HIGH
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.