ConnectWise has released an urgent security patch for its ScreenConnect remote access software to address a serious vulnerability that could allow attackers to execute malicious code on affected systems.
The vulnerability, identified as CVE-2025-3935 and tracked under CWE-287 (Improper Authentication), affects all ScreenConnect versions up to and including 25.2.3.
Security researchers discovered that ScreenConnect versions 25.2.3 and earlier are susceptible to ViewState code injection attacks, earning a high severity CVSS score of 8.1.
.png
)
This vulnerability exploits how ASP.NET Web Forms handle ViewState-a mechanism used to preserve page and control states between server requests.
ViewState data is typically encoded using Base64 and protected by machine keys. However, if these machine keys are compromised through privileged system-level access, attackers could craft and send malicious ViewState data to vulnerable ScreenConnect websites, potentially achieving remote code execution on the server.
“It is crucial to understand that this issue could potentially impact any product utilizing ASP.NET framework ViewStates, and ScreenConnect is not an outlier,” ConnectWise stated in its security bulletin.
The company has assigned this vulnerability a Priority 1 (High) rating, indicating it is either being actively targeted or at high risk of exploitation.
This vulnerability follows a pattern of ViewState code injection attacks that Microsoft warned about in February 2025. According to Microsoft Threat Intelligence, attackers have been deploying malware using static ASP.NET machine keys found in publicly available repositories and documentation.
“Microsoft has identified over 3,000 publicly disclosed keys that could be used for these types of attacks,” noted security researchers tracking the issue.
Unlike previous attacks that relied on stolen keys from dark web forums, these publicly disclosed keys pose a higher risk due to their availability in multiple code repositories.
Mitigations
ConnectWise has released ScreenConnect version 25.2.4 on April 24, 2025, which addresses the vulnerability by disabling ViewState and removing any dependency on it.
For cloud-based users on the “screenconnect.com” platform (both standalone and integrated with Automate/RMM) or “hostedrmm.com” for Automate partners, no action is required as these servers have already been updated to remediate the issue.
However, on-premises users must take immediate action:
- Navigate to Administration/License page and expand the Version Check box.
- Install the latest 25.2.4 version if currently running 25.2.3 or earlier.
- Users with expired maintenance licenses must renew before upgrading or use free security patches available for select older versions dating back to release 23.9.
ConnectWise advises all on-premises partners, regardless of whether they’ve patched their server, to assess their systems for signs of compromise before bringing them back online.
If a compromise is suspected, the company recommends following established incident response procedures, including isolating affected servers and creating backups for analysis.
This vulnerability follows previous critical ScreenConnect flaws from February 2024 (CVE-2024-1709 and CVE-2024-1708) that threat actors, including ransomware groups, actively exploited.
While this new vulnerability operates differently, it highlights the ongoing security challenges facing remote access software in an increasingly distributed work environment.
Organizations using ScreenConnect are strongly encouraged to implement the patched version immediately to protect their infrastructure from potential exploitation.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
