ConnectWise has issued an urgent patch for its ScreenConnect remote access software to address a critical vulnerability. This flaw, tracked as CVE-2025-3935, allows attackers to inject malicious code into vulnerable systems, affecting all ScreenConnect versions up to 25.2.3. Identified by security researchers, the vulnerability allows attackers to exploit the ViewState mechanism in ASP.NET Web Forms, which stores page and control states between server requests. This vulnerability has a high CVSS score of 8.1 and poses significant security risks.
The ViewState code injection attack works by compromising ASP.NET machine keys, allowing attackers to craft malicious ViewState data. Once injected, the malicious code could enable remote code execution on the server. ConnectWise has assigned the vulnerability a Priority 1 rating, indicating it is actively being targeted or highly susceptible to exploitation. This issue follows a pattern of ViewState code injection attacks and adds to growing concerns about publicly disclosed ASP.NET machine keys found in open repositories.
To mitigate the vulnerability, ConnectWise has released ScreenConnect version 25.2.4, which disables ViewState and removes its dependency. Cloud-based users on the screenconnect.com platform have already received the update, while on-premises users must upgrade manually to version 25.2.4. The company also recommends on-premises users assess their systems for any signs of compromise before reconnecting servers. If signs of compromise are detected, the company advises isolating affected servers and following incident response protocols.
This vulnerability is part of ongoing security challenges facing remote access software, following previous exploits such as CVE-2024-1709 and CVE-2024-1708. It highlights the increasing risks associated with remote access tools, especially in distributed work environments. Organizations using ScreenConnect are strongly advised to immediately apply the security patch to protect their infrastructure from potential attacks.