ConnectWise Patches Critical ScreenConnect Cryptographic Flaw
Take action: Treat this update as an emergency change because remote access tools are primary targets for lateral movement and supply chain attacks. If you run on-premises ScreenConnect, verify your version immediately, patch ASAP.
Learn More
ConnectWise released a security update for ScreenConnect to address a critical vulnerability involving cryptographic signature verification.
The flaw is tracked as CVE-2026-3564 (CVSS score 9.0) - An improper verification of cryptographic signature vulnerability that occurs when ScreenConnect fails to adequately protect ASP.NET machine keys stored in server configuration files. Attackers who gain access to these configuration files can extract the unique machine keys to forge or modify protected session values.
By presenting these manipulated values to the server, an attacker can bypass authentication checks and gain unauthorized access with elevated privileges. This mechanism defeats the integrity of session management by allowing the creation of valid authentication tokens without legitimate credentials.
Because ScreenConnect is widely used by Managed Service Providers (MSPs) and IT departments, a compromise provides a direct path into the internal networks of multiple downstream clients.
Researchers have noted historical patterns of similar key theft by threat groups.
The vulnerability impacts all on-premises versions of ConnectWise ScreenConnect prior to version 26.1. This includes instances integrated with other platforms like ConnectWise Automate.
Cloud-hosted instances were also vulnerable but have been automatically updated by the vendor to the secure version.
Administrators must upgrade on-premises ScreenConnect installations to version 26.1 immediately.
