Critical ScreenConnect Vulnerability Exposes Machine Keys, Enabling Session Hijacking
ConnectWise has recently disclosed a significant security flaw in its ScreenConnect remote desktop software, identified as CVE-2026-3564. This vulnerability, present in all versions prior to 26.1, has been assigned a CVSS score of 9.0, categorizing it as critical.
Understanding the Vulnerability
The core issue lies in how ScreenConnect versions before 26.1 manage and store unique machine keys and cryptographic identifiers. These keys, essential for secure authentication, were stored in plaintext within server configuration files. This storage method means that if an attacker gains access to the filesystem or configuration data—without needing elevated privileges—they could extract these keys.
Potential Exploitation and Risks
Once an attacker has these machine keys, they can forge or manipulate session authentication tokens. This capability allows them to impersonate legitimate sessions, effectively bypassing established access controls. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature), indicating that the software fails to adequately verify the integrity of cryptographic components before trusting them for authentication decisions.
The CVSS vector suggests that the vulnerability is exploitable over a network without requiring specific privileges or user interaction. However, the high attack complexity indicates that certain conditions must be met for successful exploitation. Notably, the scope is marked as Changed, meaning a successful exploit could impact resources beyond the vulnerable component itself. This is particularly concerning in enterprise environments where ScreenConnect is widely used for remote access.
ConnectWise’s Response and Recommendations
ConnectWise has assigned this vulnerability a Priority 1 (High) rating, signifying that it is either actively being targeted or at an elevated risk of exploitation. Organizations using on-premises ScreenConnect deployments are especially vulnerable and should treat remediation as an urgent matter.
To address this flaw, ConnectWise has released ScreenConnect version 26.1. This update introduces encrypted storage and enhanced key management for machine key material, significantly reducing the risk of unauthorized extraction even if server integrity is partially compromised.
Action Steps for Users
– On-Premises Deployments: Users must manually upgrade to ScreenConnect version 26.1 through the official ScreenConnect download page. It’s important to note that lapsed maintenance licenses must be renewed before applying the update.
– Cloud-Hosted Instances: No action is required, as ConnectWise has already applied the necessary mitigations on the backend.
Given the critical nature of this vulnerability, security teams managing on-premises ScreenConnect deployments should prioritize patching immediately. Additionally, it’s advisable to audit session logs for any anomalous authentication activity that could indicate prior exploitation attempts.
