cbcvebase.
CVE-2026-3564
published 2026-03-17

CVE-2026-3564: A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access…

PriorityP183critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.36%
28.1th percentile
A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.

Affected

1 ranges
VendorProductVersion rangeFixed in
connectwisescreenconnect

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor ScreenConnect logs for unusual authentication activity, which may indicate abuse of disclosed ASP.NET machine key material to forge or modify protected session values
  • Detect attempts to extract or access ASP.NET machine keys from ScreenConnect server configuration files or backups, as these keys can be used to generate valid forged session tokens
  • Alert on any ScreenConnect instance running a version prior to 26.1, as all prior versions are vulnerable to this cryptographic signature verification flaw
  • Correlate with prior CVE-2025-3935 exploitation activity (machine key theft), as stolen keys from that campaign may now be weaponized against CVE-2026-3564
  • Researchers observed attempts to abuse disclosed ASP.NET machine key material in the wild; treat any anomalous privilege escalation within ScreenConnect as potentially related
  • ·Cloud-hosted ScreenConnect instances were automatically patched; only on-premises deployments require manual upgrade to version 26.1
  • ·Protecting backups and old data snapshots is explicitly recommended, as historical machine key material from snapshots could also be leveraged for exploitation

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.