Sitecore ViewState exploitation and ScreenConnect machine-key hardening

A **2025 ViewState deserialization attack wave** is continuing to expose **ASP.NET** deployments to **remote code execution** when machine keys are leaked or improperly protected. The latest case is **CVE-2025-53690** in **Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud**, where attackers abused an exposed **ASP.NET machine key** to compromise internet-facing servers. **CISA** has told **FCEB agencies** to update Sitecore by **September 25, 2025** as **Mandiant** reported active exploitation, deployment of **WEEPSTEEL**, and follow-on use of tools such as **EarthWorm** and **SharpHound** for reconnaissance, persistence, lateral movement, and **data theft**.

ConnectWise released **ScreenConnect 26.1** to harden **machine key** handling after disclosing **CVE-2026-3564**, a flaw that can enable **unauthorized access** and **privilege escalation**. The update covers **ScreenConnect versions before 26.1** and adds **encrypted storage** plus improved handling for machine keys. **Cloud** customers were moved to the safe version automatically, while **on-premises** administrators were told to upgrade **as soon as possible**. ConnectWise also said it has **no evidence of active exploitation** in its hosted service, even though attempts to abuse disclosed machine key material were observed in the wild.

ConnectWise disclosed **CVE-2026-3564**, a **cryptographic signature verification vulnerability** in **ScreenConnect** that can enable **unauthorized access** and **privilege escalation**. The flaw affects **versions before 26.1** and may let an attacker abuse **ASP.NET machine keys** for **unauthorized session authentication**. **ScreenConnect 26.1** adds stronger machine-key protection, and **on-premises** administrators are being told to upgrade as soon as possible. ConnectWise said it has **no evidence of active exploitation** of this specific flaw and **no confirmed IOCs** to share.