Search

published date: April 25, 2025

CVE-2025-3935 : ConnectWise ScreenConnect Improper Authentication Vulnerability

ScreenConnect - May2025

Description

ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.  It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.  The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.  This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.

Product(s):

  • ConnectWise ScreenConnect
  • CONNECTWISE > screenconnect 19.*.*
  • CONNECTWISE > screenconnect 20.*.*

Question to Ask Vendors:

  1. 1: Have you applied the 2025.4 patch (or later) to all instances of ScreenConnect to mitigate the risk of ViewState code injection as per CVE-2025-3935?
  2. 2: Have you generated new machine keys and updated the web.config via the TransformWebConfig.xsl process after patching to invalidate any potentially stolen keys?
  3. 3: Have you implemented measures to monitor for anomalous POST requests containing oversized __VIEWSTATE parameters and unexpected deserialization errors in server logs, which could indicate exploitation of this vulnerability?
  4. 4: Have you taken steps to store decryptionKey and validationKey outside of web-accessible directories and restrict filesystem permissions to prevent unauthorized read access, as recommended in the advisory?

READY TO GET RESULTS YOU CAN TRUST?