Critical ScreenConnect Flaw (CVE-2025-14265) Risks Config Exposure & Untrusted Extension Installation

ConnectWise has issued an important security update for its widely used remote support software, ScreenConnect, addressing a critical vulnerability that could expose sensitive configuration data. The flaw, tracked as CVE-2025-14265, carries a high CVSS score of 9.1, signaling a significant risk for unpatched on-premise servers.

While the vulnerability is severe, it is not a simple “open door” for attackers. Exploitation requires specific conditions: “These issues require authorized or administrative-level access to be leveraged”. However, once inside, an attacker could potentially access configuration data or force the “installation of untrusted extensions”.

The newly released ScreenConnect 25.8 patch focuses on hardening the server’s defenses against internal misuse or compromised admin accounts.

According to the advisory, the update “strengthens server-side validation, enforces integrity checks for extension installations, and enhances overall platform security and stability” . This effectively locks down the ability for malicious extensions to be sideloaded, a common technique used by attackers to maintain persistence on a compromised server.

Importantly, the vulnerability is strictly server-side. “These issues affect only the ScreenConnect server component; host and guest clients are not impacted”.

For the thousands of managed service providers (MSPs) and IT teams using ScreenConnect, the remediation path depends on their deployment model:

• Cloud Users: Breathe easy. “No action is required,” as servers hosted on screenconnect.com or hostedrmm.com have already been patched by ConnectWise.
• On-Premise Partners: Immediate action is needed. Administrators must upgrade their servers to version 25.8 manually. “Please upgrade to ScreenConnect version 25.8 and update your guest clients to the same version,” the advisory urges.

ConnectWise has confirmed that, currently, “There is no evidence of exploitation” in the wild.

Related Posts:

• Critical FortiGate SSO Flaw Under Active Exploitation: Attackers Bypass Auth and Exfiltrate Configs
• DDoS Suspected, Internal Bug Found: Cloudflare Outage Caused by Bot Management Config File
• Threat Actors Continue to Exploit Legitimate RMM Tool ScreenConnect
• ScreenConnect Abuse: Hackers Leverage Remote Access Tool for Healthcare Intrusion