ConnectWise patches new flaw allowing ScreenConnect hijacking

Summary

ConnectWise has patched a critical cryptographic signature verification vulnerability (CVE-2026-3564) in ScreenConnect that could allow attackers to hijack sessions through ASP.NET machine key exploitation. The flaw affects ScreenConnect versions before 26.1 and has reportedly been exploited by Chinese hackers for years.

Key Points

• Critical vulnerability CVE-2026-3564 allows extraction and abuse of ASP.NET machine keys for unauthorized session authentication and privilege escalation
• ScreenConnect versions before 26.1 are affected, with cloud users automatically updated but on-premises deployments requiring manual upgrade
• ConnectWise reports no confirmed evidence of active exploitation but acknowledges researchers have observed attempts to abuse disclosed machine key material in the wild

Takeaways

• Organizations using on-premises ScreenConnect deployments must immediately upgrade to version 26.1 to mitigate this critical vulnerability
• Security teams should review authentication logs for unusual activity, tighten access controls on configuration files, and ensure proper protection of backups containing sensitive key material

Topics: vulnerability, remote access, privilege escalation, cryptography, patch management