Critical Vulnerability in ScreenConnect exposes ASP.NET keys and requires updating to version 26.1

ConnectWise has warned ScreenConnect users about a vulnerability in the verification of cryptographic signatures that can allow unauthorized access and the escalation of privileges. The failure affects the versions prior to 26.1 and has been recorded in the vulnerability database as CVE-2026-3564, which obtained a critical severity score. ScreenConnect is a remote access platform widely used by managed service providers (MSP), IT departments and support equipment, and can be cloud-hosted by ConnectWise or deployed locally on customers' servers.

The core of the problem is the protection of ASP.NET machine keys. These keys are used to sign and encrypt protected values that the application uses to authenticate sessions and safeguard sensitive data. If an opponent is able to extract that secret material, he could forge or alter protected values so that the server accepts them as legitimate, with the result of entering foreign sessions or executing actions with high permits within the committed instance. To lose control of the machine keys is to lose the ability to distinguish legitimate tokens from manipulated tokens. To better understand how these keys work and why they are critical, you can see Microsoft documentation on the machineKey element in ASP.NET: learn.microsoft.com.

ConnectWise has addressed vulnerability by strengthening the protection and storage of those keys in ScreenConnect 26.1, including rest encryption and tighter handling of secrets. Proactively, cloud platform users have already been migrated to the secure version, but managers operating on-premises deployments should apply the update to version 26.1 as soon as possible to close the exposure window. The official note with the details and recommendations of the manufacturer is available in the security bulletin of ConnectWise: ConnectWise ScreenConnect bulletin and on its general notice page: ConnectWise advices.

In addition to the technical correction, ConnectWise has warned that there are signs of attempts to abuse machine keys in the real world, transforming the threat from theoretical to tangible. However, the company told the media that, at least until the time of its communication, it has no confirmed evidence of active exploitation of CVE-2026-3564 in its housed instances, so it cannot provide verified commitment indicators (IoC). ConnectWise also encourages researchers to identify malicious activity related to responsible disclosure to validate and mitigate findings.

In parallel to the official communication, demands have emerged on social networks and forums on active exploitation, including an X-based publication that suggests long-term use by actors linked to China; this is not publicly verified and it is not clear whether it points to the same failure. The publication referred to here can be reviewed: X claim. It should be recalled that in recent years commitments related to secret keys have already been documented in ScreenConnect: for example, attacks that took advantage of the vulnerability identified as CVE-2025-3935 to extract keys from ScreenConnect servers.

If you manage an environment using ScreenConnect, the first necessary action is to program and apply the update to version 26.1 on on- premises systems that have not been automatically migrated. Beyond the patch, it is recommended to review and tighten controls around the configuration files and secret stores, limit access to old backup and snapshots, audit records in search of unusual authentication patterns and keep the supplements and extensions up to date. These measures reduce the potential for accidental filtration or side access to become a key to a larger gap.

The situation also shows an operational aspect: many organizations rely on suppliers and remote support tools to manage critical infrastructure, and a failure in the protection of secret keys exposes not only the software itself, but the set of customers that depend on it. Managed suppliers and IT equipment must assume that the threat is serious and act urgently, updating, auditing and reviewing policies for access to and protection of secrets. When vectors pass through permanent secrets - such as machine keys - periodic rotation and encrypted storage with granular access controls are practices that should be part of the operating standard.

To follow the thread of this vulnerability and verify official communications, the recommended sources include entry into the NVD database for vulnerability ( CVE-2026-3564), the ConnectWise newsletter on ScreenConnect and press reports specialized as BleepingComputer which covered the incident and the manufacturer's statements. Keeping informed and applying the recommended corrections is, at this time, the best defense for organizations that depend on ScreenConnect.