ConnectWise has issued an urgent security update for its ScreenConnect remote access software to address a critical vulnerability that could enable attackers to execute malicious code on affected systems. This flaw, identified as CVE-2025-3935 and categorized under CWE-287 (Improper Authentication), impacts all ScreenConnect versions up to and including 25.2.3.
Understanding the Vulnerability
Security researchers have discovered that ScreenConnect versions 25.2.3 and earlier are susceptible to ViewState code injection attacks, earning a high severity CVSS score of 8.1. This vulnerability exploits how ASP.NET Web Forms handle ViewState—a mechanism used to preserve page and control states between server requests.
ViewState data is typically encoded using Base64 and protected by machine keys. However, if these machine keys are compromised through privileged system-level access, attackers could craft and send malicious ViewState data to vulnerable ScreenConnect websites, potentially achieving remote code execution on the server.
ConnectWise emphasized the broader implications of this issue, stating, It is crucial to understand that this issue could potentially impact any product utilizing ASP.NET framework ViewStates, and ScreenConnect is not an outlier. The company has assigned this vulnerability a Priority 1 (High) rating, indicating it is either being actively targeted or at high risk of exploitation.
Context and Precedents
This vulnerability follows a pattern of ViewState code injection attacks that Microsoft warned about in February 2025. According to Microsoft Threat Intelligence, attackers have been deploying malware using static ASP.NET machine keys found in publicly available repositories and documentation. Security researchers tracking the issue noted, Microsoft has identified over 3,000 publicly disclosed keys that could be used for these types of attacks.
Unlike previous attacks that relied on stolen keys from dark web forums, these publicly disclosed keys pose a higher risk due to their availability in multiple code repositories.
Mitigation Measures
To address this critical vulnerability, ConnectWise released ScreenConnect version 25.2.4 on April 24, 2025. This update disables ViewState and removes any dependency on it, effectively mitigating the risk.
For cloud-based users on the screenconnect.com platform (both standalone and integrated with Automate/RMM) or hostedrmm.com for Automate partners, no action is required as these servers have already been updated to remediate the issue.
However, on-premises users must take immediate action:
1. Navigate to the Administration/License page and expand the Version Check box.
2. Install the latest 25.2.4 version if currently running 25.2.3 or earlier.
3. Users with expired maintenance licenses must renew before upgrading or use free security patches available for select older versions dating back to release 23.9.
ConnectWise advises all on-premises partners, regardless of whether they’ve patched their server, to assess their systems for signs of compromise before bringing them back online. If a compromise is suspected, the company recommends following established incident response procedures, including isolating affected servers and creating backups for analysis.
Historical Context
This vulnerability follows previous critical ScreenConnect flaws from February 2024 (CVE-2024-1709 and CVE-2024-1708) that threat actors, including ransomware groups, actively exploited. While this new vulnerability operates differently, it highlights the ongoing security challenges facing remote access software in an increasingly distributed work environment.
Recommendations for Organizations
Organizations using ScreenConnect are strongly encouraged to:
– Update Immediately: Ensure all instances of ScreenConnect are updated to version 25.2.4 or later to mitigate the vulnerability.
– Review System Logs: Examine logs for any unusual activity that may indicate a compromise.
– Implement Strong Access Controls: Restrict access to administrative functions and regularly review user permissions.
– Educate Staff: Provide training on recognizing phishing attempts and other common attack vectors.
By taking these steps, organizations can enhance their security posture and reduce the risk of exploitation through vulnerabilities in remote access tools.
