Critical ScreenConnect Vulnerability Exposes Remote Desktop Sessions to Hijacking
ConnectWise has issued an urgent security advisory for its ScreenConnect remote desktop software, revealing a critical cryptographic flaw (CVE-2026-3564) that could enable unauthenticated attackers to extract server-level machine keys and bypass session authentication. The vulnerability, assigned a CVSS score of 9.0, affects all ScreenConnect versions prior to 26.1 and is classified as Priority 1 (High) due to active or imminent exploitation risks.
The flaw stems from plaintext storage of machine keys and cryptographic identifiers in server configuration files, allowing attackers with filesystem or configuration access to extract them without elevated privileges. Once obtained, these keys can be used to forge session tokens, impersonate legitimate users, and circumvent access controls. The issue is rooted in CWE-347 (Improper Verification of Cryptographic Signature), where the software fails to validate cryptographic integrity before trusting authentication components.
Exploitation requires no user interaction or privileges, though the attack complexity remains high due to specific conditions. The scope is marked as "Changed", meaning successful exploitation could impact resources beyond the vulnerable component a major concern for enterprises relying on ScreenConnect for remote access.
ConnectWise has released ScreenConnect 26.1, which mitigates the flaw by encrypting key storage and improving key management. Cloud-hosted instances are already protected, but on-premises deployments must manually upgrade to version 26.1, with lapsed maintenance licenses requiring renewal before patching. Security teams are advised to prioritize remediation and review session logs for signs of prior exploitation.
Source: https://cybersecuritynews.com/screenconnect-vulnerability-machine-keys/
ConnectWise cybersecurity rating report: https://www.rankiteo.com/company/connectwise
"id": "CON1773851361",
"linkid": "connectwise",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Enterprises using ScreenConnect '
'on-premises deployments '
'(versions prior to 26.1)',
'industry': 'Software (Remote Desktop Solutions)',
'name': 'ConnectWise',
'type': 'Vendor'}],
'attack_vector': 'Remote',
'customer_advisories': 'Urgent security advisory issued for ScreenConnect '
'users to upgrade to version 26.1.',
'data_breach': {'data_encryption': 'Mitigated in version 26.1 (encrypted key '
'storage)',
'file_types_exposed': 'Server configuration files',
'sensitivity_of_data': 'High (enables unauthorized access to '
'remote sessions)',
'type_of_data_compromised': 'Cryptographic keys, session '
'tokens'},
'description': 'ConnectWise has issued an urgent security advisory for its '
'ScreenConnect remote desktop software, revealing a critical '
'cryptographic flaw (CVE-2026-3564) that could enable '
'unauthenticated attackers to extract server-level machine '
'keys and bypass session authentication. The vulnerability '
'affects all ScreenConnect versions prior to 26.1 and is '
'classified as Priority 1 (High) due to active or imminent '
'exploitation risks. The flaw stems from plaintext storage of '
'machine keys and cryptographic identifiers in server '
'configuration files, allowing attackers to forge session '
'tokens, impersonate legitimate users, and circumvent access '
'controls.',
'impact': {'data_compromised': 'Server-level machine keys, session tokens',
'operational_impact': 'Unauthorized access to remote desktop '
'sessions, bypass of authentication controls',
'systems_affected': 'ScreenConnect remote desktop software '
'(versions prior to 26.1)'},
'post_incident_analysis': {'corrective_actions': 'Encrypted key storage and '
'improved key management in '
'ScreenConnect 26.1.',
'root_causes': 'Plaintext storage of machine keys '
'and cryptographic identifiers in '
'server configuration files; '
'improper verification of '
'cryptographic signatures '
'(CWE-347).'},
'recommendations': 'Prioritize remediation, upgrade to ScreenConnect 26.1, '
'review session logs for exploitation signs, and renew '
'lapsed maintenance licenses for patch access.',
'references': [{'source': 'ConnectWise Security Advisory'}],
'response': {'communication_strategy': 'Urgent security advisory issued',
'containment_measures': 'Release of ScreenConnect 26.1 with '
'encrypted key storage and improved key '
'management',
'enhanced_monitoring': 'Review session logs for signs of prior '
'exploitation',
'remediation_measures': 'Manual upgrade to ScreenConnect 26.1 '
'for on-premises deployments; renewal of '
'lapsed maintenance licenses required '
'for patching'},
'title': 'Critical ScreenConnect Vulnerability Exposes Remote Desktop '
'Sessions to Hijacking',
'type': 'Cryptographic Vulnerability',
'vulnerability_exploited': 'CVE-2026-3564 (CWE-347: Improper Verification of '
'Cryptographic Signature)'}