Unpatched ScreenConnect servers open to attack (CVE-2026-3564)

ConnectWise has patched a critical vulnerability (CVE-2026-3564) that could enable attackers to hijack ScreenConnect sessions by abusing ASP.NET machine keys to forge trusted authentication.

About CVE-2026-3564

The ScreenConnect remote access platform is popular with managed service providers, IT departments, and technology solution providers. They can opt for the cloud-hosted version or can deploy it on their own servers or in their private cloud.

CVE-2026-3564 stems from improper verification of cryptographic signature, can be exploited remotely by unauthenticated attackers without any user interaction needed, and affects all versions of ScreenConnect before version 26.1.

“Earlier versions of ScreenConnect stored unique [ASP.NET] machine keys per instance within server configuration files, which under certain conditions could allow unauthorized actors to extract this material and misuse it for session authentication,” ConnectWise explained.

After hijacking a session, they may use it to make unauthorized actions within the instance. Also, because ScreenConnect is used for managing remote devices, attackers may also open remote sessions to employee computers, run commands, install malware, etc.

“ScreenConnect version 26.1 introduces enhanced protections for machine key handling, including encrypted storage and management, reducing the risk of unauthorized access in scenarios where server integrity may be compromised,” the company added.

The new version also allows admins to easily regenerate instances’ cryptographic material.

What to do?

In a separate advisory, Connectwise mentioned that “security researchers have observed attempts to abuse disclosed ASP.NET machine key material,” but did not specify when.

“We do not have evidence that [CVE-2026-3564] was exploited in ConnectWise-hosted ScreenConnect, so we do not have any confirmed IOCs to share,” a company spokesperson told Help Net Security.

“We encourage any researchers who believe they have identified active exploitation to engage in responsible disclosure so findings can be validated and addressed appropriately.”

Connectwise released Screenconnect v26.1 last week and updated the server instances it hosts in its cloud. Customers with on-premises and self-hosted instances are urged to upgrade as soon as possible.

Organizations should also check for signs of prior compromise: unusual authentication activity and unexpected administrative actions showing in the ScreenConnect logs.

Finally, Connectwise advises:

• Reviewing instance-level and server-level access controls to restrict access to sensitive application configuration and secrets
• Making sure that access to backups, exported configuration archives, and historical snapshots is limited to trusted users and systems
• Using only trusted and supported extensions and regularly updating them.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!