BusinessCybersecurityNewswireTechnology

Urgent: Unpatched ScreenConnect Servers Vulnerable to Attack

Originally published on: March 21, 2026
▼ Summary

– ConnectWise patched a critical vulnerability (CVE-2026-3564) in its ScreenConnect software that allowed attackers to forge authentication and hijack sessions.
– The flaw affected all versions before 26.1 and could be exploited remotely by unauthenticated attackers without any user interaction.
– Successful exploitation could let attackers perform unauthorized actions within an instance and remotely access managed computers to run commands or install malware.
– ConnectWise has released version 26.1 with enhanced protections and urges all on-premises and self-hosted customers to upgrade immediately.
– Organizations should check their logs for signs of unusual activity and review access controls to sensitive configuration files and backups.

A critical security flaw in the widely-used ScreenConnect remote access software demands immediate attention from IT administrators. ConnectWise has issued a patch for a severe vulnerability, tracked as CVE-2026-3564, which could allow attackers to take over active sessions. This issue affects all versions prior to the newly released 26.1 and stems from a weakness in how the software handled cryptographic keys, enabling unauthorized individuals to forge authentication and gain control.

The problem originates in earlier ScreenConnect versions, which stored unique ASP. NET machine keys within server configuration files. Under specific conditions, a malicious actor could potentially extract this sensitive material. Once obtained, they could misuse it to authenticate themselves as a trusted user, effectively hijacking an existing administrative session. This type of attack can be executed remotely without requiring any authentication or interaction from a legitimate user, making it particularly dangerous.

The implications of a successful attack are severe. Since ScreenConnect is a tool for managing remote devices, a compromised session grants an attacker significant power. They could perform unauthorized actions within the management instance, open remote connections to employee computers, execute arbitrary commands, or deploy malware across the network. This poses a direct threat to the security of any organization using an unpatched version of the software.

In response, ConnectWise has rolled out ScreenConnect version 26.1, which introduces strengthened protections for handling these machine keys. The update includes encrypted storage and management for the cryptographic material, substantially reducing the risk of unauthorized access even if server integrity is compromised. The new version also provides administrators with a straightforward method to regenerate their instance’s cryptographic keys, a crucial step for securing systems after an update.

ConnectWise has confirmed that its own cloud-hosted instances have been updated, but on-premises and self-hosted deployments require manual intervention. The company is urging all customers using these private deployments to upgrade to version 26.1 without delay. While there is no current evidence of this specific vulnerability being exploited in ConnectWise’s hosted environment, the company noted that security researchers have observed attempts to abuse disclosed ASP. NET machine key material in other contexts.

Beyond applying the patch, organizations should conduct a thorough review of their systems. It is essential to check ScreenConnect logs for any signs of unusual authentication activity or unexpected administrative actions that might indicate a prior compromise. ConnectWise further advises administrators to review and tighten access controls at both the instance and server levels, ensuring that sensitive configuration files and secrets are not accessible to unauthorized users.

Additional security measures include restricting access to backups, exported configuration archives, and historical snapshots to only trusted systems and personnel. Organizations should also audit and ensure they are only using trusted, supported extensions for the platform and keep those components regularly updated. Taking these steps helps build a more resilient security posture around this critical remote management tool.

(Source: Help Net Security)

Topics

software vulnerability 100% session hijacking 95% security patch 90% asp.net keys 90% remote access 85% upgrade urgency 85% unauthorized access 80% exploitation attempts 75% cryptographic security 75% incident response 70%