Description
ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.
It is important to note that to obtain these machine keys, privileged system level access must be obtained.
If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.
The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.
Product(s):
- ConnectWise ScreenConnect
- CONNECTWISE > screenconnect 19.*.*
- CONNECTWISE > screenconnect 20.*.*
- CONNECTWISE > screenconnect 21.*.*
- CONNECTWISE > screenconnect 22.*.*
- ConnectWise ScreenConnect 22.7
- CONNECTWISE > screenconnect 23.*.*
- ConnectWise ScreenConnect 23.8.4
- ConnectWise ScreenConnect 23.8.5
- ConnectWise ScreenConnect 23.9.8
- CONNECTWISE > screenconnect 24.*.*
- CONNECTWISE > screenconnect 6.*.*
Question to Ask Vendors:
- 1: Have you applied the 2025.4 patch (or later) to all instances of ScreenConnect to mitigate the risk of ViewState code injection as per CVE-2025-3935?
- 2: Have you generated new machine keys and updated the web.config via the TransformWebConfig.xsl process after patching to invalidate any potentially stolen keys?
- 3: Have you implemented measures to monitor for anomalous POST requests containing oversized __VIEWSTATE parameters and unexpected deserialization errors in server logs, which could indicate exploitation of this vulnerability?
- 4: Have you taken steps to store decryptionKey and validationKey outside of web-accessible directories and restrict filesystem permissions to prevent unauthorized read access, as recommended in the advisory?
Recommended Actions:
- Harden Access Controls: Restrict administrative file access, employ least-privilege service accounts, and audit any access to web.config files.
- Monitor for Indicators: Watch for anomalous POST requests containing oversized __VIEWSTATE parameters and unexpected deserialization errors in server logs.
- Protect Machine Keys: Store decryptionKey and validationKey outside of web-accessible directories and restrict filesystem permissions to prevent unauthorized read access.
- Rotate Keys: After patching, generate new machine keys and update the web.config via the TransformWebConfig.xsl process to invalidate any stolen keys.
- Upgrade ScreenConnect: Apply the 2025.4 patch (or later) which disables ViewState entirely and removes its related code.
References:
- http://webappsec.pbworks.com/Insufficient-Authentication
- https://attackerkb.com/topics/o59vR5d8MG/cve-2025-3935
- https://capec.mitre.org/data/definitions/114.html
- https://capec.mitre.org/data/definitions/115.html
- https://capec.mitre.org/data/definitions/151.html
- https://capec.mitre.org/data/definitions/194.html
- https://capec.mitre.org/data/definitions/22.html
- https://capec.mitre.org/data/definitions/57.html
- https://capec.mitre.org/data/definitions/593.html
- https://capec.mitre.org/data/definitions/633.html
- https://capec.mitre.org/data/definitions/650.html
- https://capec.mitre.org/data/definitions/94.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-3935
- https://nvd.nist.gov/vuln/detail/cve-2025-3935
- https://www.bleepingcomputer.com/news/security/connectwise-breached-in-cyberattack-linked-to-nation-state-hackers/
- https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4