ConnectWise Patches New Flaw Allowing ScreenConnect Hijacking
Summary:
ConnectWise disclosed a new high-severity vulnerability in ScreenConnect on March 17, 2026, tracked as CVE-2026-3564 with a CVSS score of 9.0. The vulnerability relates to how server-level cryptographic material is protected, earlier versions of ScreenConnect stored unique machine keys per instance within server configuration files, which under certain conditions could allow unauthorized actors to extract this material and misuse it for session authentication.
ConnectWise has characterized this as a cryptographic signature verification weakness that could lead to unauthorized access and privilege escalation. Exploitation is not a simple unauthenticated remote attack; a significant prerequisite is an actor's prior access to the server-level cryptographic material used by ScreenConnect for authentication, implying either a prior compromise of the server environment or an attack vector that enables exfiltration of that material.
No public proof-of-concept or confirmed in-the-wild exploitation has been reported at this time. ConnectWise has classified the severity as "Important — Priority 1 High," indicating vulnerabilities that could compromise confidential data or other processing resources but require additional access or privilege to do so.
Analyst Comments:
The risk profile of this vulnerability is elevated significantly by ScreenConnect's role in the MSP and IT support ecosystem. A successful exploit, once an attacker has obtained the requisite machine key material, could allow them to forge authenticated sessions and escalate privileges within a ScreenConnect instance. Because ScreenConnect is widely deployed by Managed Service Providers to remotely manage customer endpoints, a compromised ScreenConnect server represents a potential pivot point into downstream client environments at scale.
This vulnerability follows a well-documented pattern: ConnectWise has emerged as a popular target, along with other RMM vendors, for a broad range of threat actors, and in early 2024 a slew of attackers exploited two prior ScreenConnect vulnerabilities to gain access to MSP customers and their downstream clients, with exploitation activity including ransomware attacks and cyber-espionage campaigns from suspected North Korean state-sponsored actors.
The machine key attack surface is particularly notable given that in December 2024, Microsoft Threat Intelligence observed in-the-wild misuse of publicly available ASP[.]NET machine keys to inject malicious code into servers, including ScreenConnect, and subsequently revealed that over 3,000 machine keys had been exposed publicly.
The precedent from May 2025, when a suspected nation-state actor breached ConnectWise's own infrastructure using a similar ViewState/machine key technique, reinforces that this class of vulnerability is actively of interest to sophisticated threat actors.
Suggested Corrections:
ConnectWise has released ScreenConnect version 26.1, which introduces enhanced protections for machine key handling, including encrypted storage and management, reducing the risk of unauthorized access in scenarios where server integrity may be compromised.
Cloud-hosted ScreenConnect instances have already been updated and require no action. On-premises partners must upgrade to ScreenConnect 26.1 immediately; the update is available via the ScreenConnect Download page for customers with a valid on-premises license. Partners using an on-premises ScreenConnect installation integrated with Automate can access ScreenConnect 26.1 through the Automate Product Updates page.
Organizations should also audit server environments for any signs of prior compromise, particularly reviewing administrator account activity and access logs for anomalous logins or unrecognized IP addresses. Given the prerequisite nature of the exploit (requiring access to machine key material), hardening the underlying server environment through least-privilege access controls, file integrity monitoring on configuration directories, and multi-factor authentication for administrative access are all strongly advisable defensive measures. Members operating ScreenConnect on-premises should treat this as a priority patching action given the product's history as a high-value ransomware and espionage target.
Sources:
https://www.connectwise.com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin
ConnectWise disclosed a new high-severity vulnerability in ScreenConnect on March 17, 2026, tracked as CVE-2026-3564 with a CVSS score of 9.0. The vulnerability relates to how server-level cryptographic material is protected, earlier versions of ScreenConnect stored unique machine keys per instance within server configuration files, which under certain conditions could allow unauthorized actors to extract this material and misuse it for session authentication.
ConnectWise has characterized this as a cryptographic signature verification weakness that could lead to unauthorized access and privilege escalation. Exploitation is not a simple unauthenticated remote attack; a significant prerequisite is an actor's prior access to the server-level cryptographic material used by ScreenConnect for authentication, implying either a prior compromise of the server environment or an attack vector that enables exfiltration of that material.
No public proof-of-concept or confirmed in-the-wild exploitation has been reported at this time. ConnectWise has classified the severity as "Important — Priority 1 High," indicating vulnerabilities that could compromise confidential data or other processing resources but require additional access or privilege to do so.
Analyst Comments:
The risk profile of this vulnerability is elevated significantly by ScreenConnect's role in the MSP and IT support ecosystem. A successful exploit, once an attacker has obtained the requisite machine key material, could allow them to forge authenticated sessions and escalate privileges within a ScreenConnect instance. Because ScreenConnect is widely deployed by Managed Service Providers to remotely manage customer endpoints, a compromised ScreenConnect server represents a potential pivot point into downstream client environments at scale.
This vulnerability follows a well-documented pattern: ConnectWise has emerged as a popular target, along with other RMM vendors, for a broad range of threat actors, and in early 2024 a slew of attackers exploited two prior ScreenConnect vulnerabilities to gain access to MSP customers and their downstream clients, with exploitation activity including ransomware attacks and cyber-espionage campaigns from suspected North Korean state-sponsored actors.
The machine key attack surface is particularly notable given that in December 2024, Microsoft Threat Intelligence observed in-the-wild misuse of publicly available ASP[.]NET machine keys to inject malicious code into servers, including ScreenConnect, and subsequently revealed that over 3,000 machine keys had been exposed publicly.
The precedent from May 2025, when a suspected nation-state actor breached ConnectWise's own infrastructure using a similar ViewState/machine key technique, reinforces that this class of vulnerability is actively of interest to sophisticated threat actors.
Suggested Corrections:
ConnectWise has released ScreenConnect version 26.1, which introduces enhanced protections for machine key handling, including encrypted storage and management, reducing the risk of unauthorized access in scenarios where server integrity may be compromised.
Cloud-hosted ScreenConnect instances have already been updated and require no action. On-premises partners must upgrade to ScreenConnect 26.1 immediately; the update is available via the ScreenConnect Download page for customers with a valid on-premises license. Partners using an on-premises ScreenConnect installation integrated with Automate can access ScreenConnect 26.1 through the Automate Product Updates page.
Organizations should also audit server environments for any signs of prior compromise, particularly reviewing administrator account activity and access logs for anomalous logins or unrecognized IP addresses. Given the prerequisite nature of the exploit (requiring access to machine key material), hardening the underlying server environment through least-privilege access controls, file integrity monitoring on configuration directories, and multi-factor authentication for administrative access are all strongly advisable defensive measures. Members operating ScreenConnect on-premises should treat this as a priority patching action given the product's history as a high-value ransomware and espionage target.
Sources:
https://www.connectwise.com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin