Security & Infrastructure Tools
ConnectWise Releases Patch to Fix Cryptographic Signature Vulnerability in ScreenConnect™
ConnectWise alerts that a cryptographic signature verification flaw (CVE‑2026‑3564) in ScreenConnect versions before 26.1 can allow attackers to hijack sessions by extracting ASP.NET machine keys, enabling unauthorized access and privilege escalation. The vendor has patched the issue in version 26.1 with encrypted key storage and improved handling; cloud users are automatically upgraded while on‑premises admins must update immediately. Although researchers have observed attempts to abuse disclosed machine key material in the wild, no confirmed exploitation or indicators of compromise have been reported yet. ConnectWise advises tightening access controls, monitoring logs for unusual authentication activity, protecting backups, and keeping extensions up to date to mitigate risk.
New Vulnerability in ScreenConnect Threatens Remote Access Operations
A critical security issue has been identified in the remote access platform ScreenConnect, which is widely used by managed service providers (MSPs), IT departments, and support teams. The flaw, cataloged as CVE‑2026‑3564, involves a cryptographic signature verification vulnerability that can enable unauthorized access and privilege escalation.
The defect affects all versions of ScreenConnect prior to 26.1. Attackers who exploit this weakness can extract the ASP.NET machine keys used for session authentication. Once they possess these keys, they are able to forge or modify protected values that the application will accept as legitimate. This capability could allow a threat actor to gain access to an instance and perform unauthorized actions within the system.
ConnectWise has addressed the problem by strengthening protection for machine keys in the latest release (ScreenConnect 26.1). The new version employs encrypted storage and improved handling mechanisms, ensuring that key material is safeguarded against exposure. Cloud users are automatically upgraded to the secure version, while administrators managing on‑premises deployments must promptly upgrade to 26.1 as soon as possible.
While ConnectWise reports no evidence of active exploitation in the wild at this time, it acknowledges that researchers have observed attempts to abuse disclosed ASP.NET machine key material. The vendor encourages any investigators who suspect real-world exploitation to engage in responsible disclosure so findings can be verified and addressed appropriately.
The potential impact of CVE‑2026‑3564 is significant for organizations relying on ScreenConnect for remote support or management tasks. It underscores the importance of staying current with software updates, enforcing strict access controls to configuration files and secrets, monitoring authentication logs for anomalies, safeguarding backups and old data snapshots, and keeping any extensions up to date.
Key Takeaways
- Vulnerability ID: CVE‑2026‑3564
- Affected Versions: ScreenConnect < 26.1
- Severity: Critical
- Mitigation: Upgrade to ScreenConnect 26.1; enforce stringent security controls on configuration and key material
Organizations using ScreenConnect should prioritize upgrading to the latest version immediately to mitigate this risk. Maintaining vigilance through regular patching, secure key management practices, and monitoring for suspicious activity remains essential to protect remote access infrastructure from potential exploitation.