Critical ScreenConnect Vulnerability Exposes Machine Keys
Summary:
ConnectWise has released a security update for a critical vulnerability in its ScreenConnect remote monitoring and management (RMM) platform that exposes server-level cryptographic material. Tracked as CVE-2026-3564, this vulnerability allows unauthorized actors to extract ASP[.]NET machine keys from server configuration files and misuse them for session authentication. The ASP[.]NET framework relies on these cryptographic components to sign, encrypt, and validate protected application data. Successful exploitation enables threat actors to elevate privileges, access active remote sessions, and potentially compromise the underlying server integrity. While ConnectWise has not validated third-party claims of long-term exploitation by state-sponsored groups, they have observed attempts to abuse disclosed ASP[.]NET machine key material. The release of ScreenConnect version 26.1 mitigates this risk by introducing encrypted storage and management for all machine keys.
Security Officer Comments:
CVE-2026-3564 is an Improper Verification of Cryptographic Signature vulnerability (CWE-347) caused by the insecure storage of ASP[.]NET machine keys. In ScreenConnect versions prior to 26.1, unique machine keys utilized by the framework to sign and validate protected application data are stored within server configuration files.
Attackers initiate the exploit chain by extracting these keys from compromised servers, insecure backups, exported configuration archives, or historical snapshots. Using the extracted cryptographic material, threat actors can forge or modify protected values that the ScreenConnect instance inherently treats as valid. This enables the attacker to bypass authentication, execute unauthorized actions, elevate privileges, and compromise active remote sessions.
ConnectWise assigned this a Priority 1 (High) rating, confirming that security researchers have observed active, in-the-wild attempts to abuse disclosed ASP[.]NET machine key material.
Suggested Corrections:
Actionable Suggested Correctionss
https://www.securityweek.com/critical-screenconnect-vulnerability-exposes-machine-keys/
https://www.connectwise.com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin
https://www.connectwise.com/company/trust/advisories
ConnectWise has released a security update for a critical vulnerability in its ScreenConnect remote monitoring and management (RMM) platform that exposes server-level cryptographic material. Tracked as CVE-2026-3564, this vulnerability allows unauthorized actors to extract ASP[.]NET machine keys from server configuration files and misuse them for session authentication. The ASP[.]NET framework relies on these cryptographic components to sign, encrypt, and validate protected application data. Successful exploitation enables threat actors to elevate privileges, access active remote sessions, and potentially compromise the underlying server integrity. While ConnectWise has not validated third-party claims of long-term exploitation by state-sponsored groups, they have observed attempts to abuse disclosed ASP[.]NET machine key material. The release of ScreenConnect version 26.1 mitigates this risk by introducing encrypted storage and management for all machine keys.
Security Officer Comments:
CVE-2026-3564 is an Improper Verification of Cryptographic Signature vulnerability (CWE-347) caused by the insecure storage of ASP[.]NET machine keys. In ScreenConnect versions prior to 26.1, unique machine keys utilized by the framework to sign and validate protected application data are stored within server configuration files.
Attackers initiate the exploit chain by extracting these keys from compromised servers, insecure backups, exported configuration archives, or historical snapshots. Using the extracted cryptographic material, threat actors can forge or modify protected values that the ScreenConnect instance inherently treats as valid. This enables the attacker to bypass authentication, execute unauthorized actions, elevate privileges, and compromise active remote sessions.
ConnectWise assigned this a Priority 1 (High) rating, confirming that security researchers have observed active, in-the-wild attempts to abuse disclosed ASP[.]NET machine key material.
Suggested Corrections:
Actionable Suggested Correctionss
- Upgrade on-premise ScreenConnect instances to version 26.1 immediately to implement encrypted machine key storage and enable on-demand regeneration of cryptographic material.
- Restrict instance-level and server-level access controls to prevent unauthorized access to sensitive application configuration files and secrets.
- Secure all backups, exported configuration archives, and historical server snapshots to ensure they are inaccessible to untrusted users or systems.
- Monitor ScreenConnect application and server logs continuously for unusual authentication activity or unexpected administrative actions.
- Maintain all ScreenConnect extensions on supported and up-to-date versions, ensuring only trusted extensions are installed.
- Regularly review administrative access activity and limit configuration interface access strictly to authorized personnel.
https://www.securityweek.com/critical-screenconnect-vulnerability-exposes-machine-keys/
https://www.connectwise.com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin
https://www.connectwise.com/company/trust/advisories