ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect

ConnectWise has issued an important security bulletin addressing a critical code injection vulnerability in ScreenConnect versions 25.2.3 and earlier. Tracked as CVE-2025-3935 (CVSS 81), the flaw involves ASP.NET’s ViewState mechanism, which can potentially be exploited to achieve remote code execution (RCE) on affected servers—if machine keys are compromised.

“ScreenConnect versions 25.2.3 and earlier may be susceptible to a ViewState code injection attack,” the bulletin warns.

ASP.NET Web Forms use ViewState to persist control and page states across requests. These states are encoded in Base64 and protected by machine keys, which ensure integrity and confidentiality.

However, as ConnectWise highlights: “To obtain these machine keys, privileged system-level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.”

This means the exploit is not trivial and requires prior access or a separate vulnerability to leak the encryption keys—but the consequences, once exploited, are severe.

“Our patch disables ViewState and removes any dependency on it.”

ConnectWise notes that this issue is not unique to ScreenConnect, emphasizing:

“It is crucial to understand that this issue could potentially impact any product utilizing ASP.NET framework ViewStates, and ScreenConnect is not an outlier.”

This points to a class-wide issue in legacy ASP.NET implementations, potentially affecting numerous enterprise products beyond just ScreenConnect.

All on-premises deployments of ScreenConnect up to version 25.2.3 are vulnerable. Cloud-hosted deployments under “screenconnect.com” and “hostedrmm.com” have already been updated by ConnectWise and require no user action.

• Active Maintenance Users:
  Upgrade immediately to version 25.2.4 by visiting the ConnectWise Download page.
• Off-Maintenance Users:
  ConnectWise is offering free security patches for versions dating back to 23.9, even for those without active maintenance contracts.

ConnectWise urges all partners to apply the update without delay:

“Using the most current release of ScreenConnect includes security updates, bug fixes, and enhancements not found in older releases.”

Related Posts:

• Publicly Disclosed ASP.NET Machine Keys Used in Code Injection Attacks
• Critical Security Vulnerabilities in ConnectWise ScreenConnect Demand Immediate Patching
• Hackers Exploit Social Security Administration Branding to Deliver ConnectWise RAT
• Phishing Campaign Targets Crypto & Healthcare with ScreenConnect
• ScreenConnect Abuse: Hackers Leverage Remote Access Tool for Healthcare Intrusion