ScreenConnect cryptographic signature verification vulnerability (CVE-2026-3564)
Vulnerability
Summary
Hide ▲
Show ▼
ConnectWise disclosed CVE-2026-3564, a cryptographic signature verification vulnerability in ScreenConnect that can enable unauthorized access and privilege escalation. The flaw affects versions before 26.1 and may let an attacker abuse ASP.NET machine keys for unauthorized session authentication. ScreenConnect 26.1 adds stronger machine-key protection, and on-premises administrators are being told to upgrade as soon as possible. ConnectWise said it has no evidence of active exploitation of this specific flaw and no confirmed IOCs to share.
Cases
Related Happenings
IBM API Connect CVE-2025-13915 mitigation guidance
Advisory/Mitigation
First: 31.12.2025 12:34
Last: 31.12.2025 12:34
Sources 1
About this happening:
**IBM** told customers to upgrade **IBM API Connect** to address **CVE-2025-13915**, a **critical authentication bypass** that can let **unauthenticated attackers** reach exposed...
IBM API Connect CVE-2025-13915 mitigation guidance
Advisory/MitigationAbout this happening: **IBM** told customers to upgrade **IBM API Connect** to address **CVE-2025-13915**, a **critical authentication bypass** that can let **unauthenticated attackers** reach exposed...
Syncro MSP agent deploying ScreenConnect for remote access
Malware Activity
First: 15.10.2025 22:22
Last: 15.10.2025 22:22
Sources 1
About this happening:
The **Syncro** payload installs **ScreenConnect** through a hidden remote-management agent, giving operators **remote access** to infected endpoints and a path to **follow-on payl...
Syncro MSP agent deploying ScreenConnect for remote access
Malware ActivityAbout this happening: The **Syncro** payload installs **ScreenConnect** through a hidden remote-management agent, giving operators **remote access** to infected endpoints and a path to **follow-on payl...
ViewState deserialization attack wave (2025)
Exploitation Wave
First: 05.09.2025 01:05
Last: 05.09.2025 01:05
Sources 1
About this happening:
A **2025 ViewState deserialization attack wave** is continuing to expose **ASP.NET** deployments to **remote code execution** when machine keys are leaked or improperly protected....
ViewState deserialization attack wave (2025)
Exploitation WaveAbout this happening: A **2025 ViewState deserialization attack wave** is continuing to expose **ASP.NET** deployments to **remote code execution** when machine keys are leaked or improperly protected....
Timeline
-
18.03.2026 20:10 2 articles · 2mo ago
ConnectWise warns ScreenConnect customers about CVE-2026-3564
Initial DisclosureConnectWise warned ScreenConnect customers about CVE-2026-3564, a cryptographic signature verification vulnerability affecting ScreenConnect versions before 26.1 that could let an attacker abuse ASP.NET machine keys for unauthorized session authentication, unauthorized access, and privilege escalation. The vendor said researchers observed attempts to abuse disclosed ASP.NET machine key material in the wild, but it had no evidence of active exploitation in ConnectWise-hosted ScreenConnect and no confirmed IOCs to share. ScreenConnect 26.1 adds stronger machine-key protection, and on-premises administrators are told to upgrade as soon as possible while also tightening access to configuration files and secrets, checking logs for unusual authentication activity, protecting backups and old data snapshots, and keeping extensions up to date.
Show sources
- ConnectWise patches new flaw allowing ScreenConnect hijacking — www.bleepingcomputer.com — 18.03.2026 20:10
- ConnectWise patches new flaw allowing ScreenConnect hijacking — www.bleepingcomputer.com — 18.03.2026 20:10