CVE-2026-3564
published 2026-03-17CVE-2026-3564: A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access…
PriorityP183critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.36%
28.1th percentile
A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| connectwise | screenconnect | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor ScreenConnect logs for unusual authentication activity, which may indicate abuse of disclosed ASP.NET machine key material to forge or modify protected session values ↗
- →Detect attempts to extract or access ASP.NET machine keys from ScreenConnect server configuration files or backups, as these keys can be used to generate valid forged session tokens ↗
- →Alert on any ScreenConnect instance running a version prior to 26.1, as all prior versions are vulnerable to this cryptographic signature verification flaw ↗
- →Correlate with prior CVE-2025-3935 exploitation activity (machine key theft), as stolen keys from that campaign may now be weaponized against CVE-2026-3564 ↗
- →Researchers observed attempts to abuse disclosed ASP.NET machine key material in the wild; treat any anomalous privilege escalation within ScreenConnect as potentially related ↗
- ·Cloud-hosted ScreenConnect instances were automatically patched; only on-premises deployments require manual upgrade to version 26.1 ↗
- ·Protecting backups and old data snapshots is explicitly recommended, as historical machine key material from snapshots could also be leveraged for exploitation ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hrc2-hchg-rq8r: A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized acce
ghsa_unreviewed·2026-03-17
CVE-2026-3564 [CRITICAL] CWE-347 GHSA-hrc2-hchg-rq8r: A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized acce
A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.
VulnCheck
ConnectWise ScreenConnect Improper Verification of Cryptographic Signature
vulncheck·2026·CVSS 9.0
CVE-2026-3564 [CRITICAL] ConnectWise ScreenConnect Improper Verification of Cryptographic Signature
ConnectWise ScreenConnect Improper Verification of Cryptographic Signature
A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.
Affected: ConnectWise ScreenConnect
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.connectwise.com/company/trust/advisories; https://x.com/browsercookies/status/2033942473450586617
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
blogs_hackernews·2026-03-23
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories.
This edition covers a mix of issues: supply chain attacks hitting CI/CD setups, long-abused IoT devices being shut down, and exploits moving quickly from disclosure to real attacks. There are also new malware tricks showing attackers are becoming more patient and creative.
It’s a mix of old problems that never go away and new methods that are harder to detect. Th
Checkpoint
23rd March – Threat Intelligence Report
blogs_checkpoint·2026-03-23
CVE-2026-33017 23rd March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Navia Benefit Solutions, a United States-based employee benefits administrator, has disclosed a breach affecting more than 2.6 million individuals after unauthorized access and potential data exfiltration occurred between December 22, 2025 and January 15, 2026. Exposed information may include personal, health, and benefits dat
Bleepingcomputer
ConnectWise patches new flaw allowing ScreenConnect hijacking
blogs_bleepingcomputer·2026-03-18·CVSS 9.0
CVE-2026-3564 [CRITICAL] ConnectWise patches new flaw allowing ScreenConnect hijacking
## ConnectWise patches new flaw allowing ScreenConnect hijacking
## Bill Toulas
ConnectWise is warning ScreenConnect customers of a cryptographic signature verification vulnerability that could lead to unauthorized access and privilege escalation.
The flaw affects ScreenConnect versions before 26.1. It is tracked as CVE-2026-3564 and received a critical severity score.
ScreenConnect is a remote access platform typically used by managed service providers (MSPs), IT departments, and support teams. It can be either cloud-hosted by ConnectWise or on-premise on the customer's server.
An attacker could exploit the security issue to extract and use the ASP.NET machine keys for unauthorized session authentication.
“If the machine key material for a ScreenConnect instance is disclosed, a thre
Wiz
CVE-2025-14265 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-14265 [CRITICAL] CVE-2025-14265 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14265 :
ScreenConnect Server vulnerability analysis and mitigation
In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.
Source : NVD
## 9.1
Score
Published December 11, 2025
Severity CRITICAL
CNA Score 9.
Wiz
CVE-2025-14823 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-14823 [CRITICAL] CVE-2025-14823 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14823 :
ScreenConnect Server vulnerability analysis and mitigation
In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components.
Source : NVD
## 5.3
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 5.3
Affected Tec
Wiz
CVE-2026-3564 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-3564 [CRITICAL] CVE-2026-3564 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3564 :
ScreenConnect Server vulnerability analysis and mitigation
A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.
Source : NVD
## 9
Score
Published March 17, 2026
Severity CRITICAL
CNA Score 9.0
Affected Technologies
ScreenConnect Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:connectwise:screenconnect
Sources
NVD
Linux Severity CRITICAL Has Fix Added at: Mar 19, 2026
Windows Severity CRITICAL Has Fix Added at: Mar 19, 20
2026-03-17
Published
Exploited in the wild