Leaving the Doors Unlocked: Critical 9.0 CVSS ScreenConnect Flaw Exposes Machine Keys

ConnectWise recently issued a critical security update for its ScreenConnect platform, addressing a significant vulnerability that could have allowed unauthorized actors to hijack server-level cryptographic material.

The issue, tracked as CVE-2026-3564, stems from how older versions of the software handled its most sensitive secrets. Before this fix, the system was essentially leaving the doors unlocked for anyone who could get close enough to the server configuration.

According to the official bulletin:

“Earlier versions of ScreenConnect stored unique machine keys per instance within server configuration files, which under certain conditions could allow unauthorized actors to extract this material and misuse it for session authentication“.

With a CVSS Base Score of 9.0, the stakes are incredibly high. If an attacker successfully extracts these keys, they could potentially impersonate legitimate sessions, leading to a total compromise of confidential data and processing resources.

The vulnerability is classified under CWE-347: Improper Verification of Cryptographic Signature. While the attack complexity is rated as high (AC:H), the potential for damage is widespread because no specific user interaction or high-level privileges are required to initiate the exploit once the conditions are met.

ConnectWise has moved quickly to shore up these defenses. The new ScreenConnect version 26.1 introduces “enhanced protections for machine key handling, including encrypted storage and management”. This change is designed to stop attackers in their tracks, even in scenarios where server integrity might already be shaky.

The remediation steps depend on how you host your ScreenConnect instance:

• Cloud Users: Breathe easy. No action is required as the updates are managed by ConnectWise.
• On-Premise Partners: You must upgrade to version 26.1 immediately.
• Automate Integration: If you use ScreenConnect integrated with Automate, the 26.1 update is available via the Automate Product Updates page.