Emergency Security Bulletin: ConnectWise ScreenConnect ViewState Code Injection Vulnerability

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

ConnectWise Code Injection Vulnerability

CVSS Score: 8.1 (High)
Identifier: CVE-2025-3935
Exploit or POC: Yes – Publicly available
Update: CVE-2025-3935 – ConnectWise Security Advisory

Description: CVE-2025-3935 is a high-severity vulnerability affecting ConnectWise ScreenConnect versions 25.2.3 and earlier. The flaw arises from the use of ASP.NET Web Forms' ViewState mechanism, which preserves page and control state information. ViewState data is encoded using Base64 and protected by machine keys. If an attacker obtains these machine keys, requiring privileged system-level access, they can craft and send malicious ViewState data to the server, potentially leading to remote code execution. This vulnerability has been actively exploited in the wild, including in attacks attributed to suspected nation-state actors targeting a limited number of ScreenConnect customers.

• ScreenConnect versions up to and including 25.2.3
  
  

Mitigation Recommendation: ConnectWise has released ScreenConnect version 25.2.4, which addresses this vulnerability by disabling ViewState and removing its dependency.

• Cloud-hosted instances: No action is required; patches have been automatically applied to servers hosted on “screenconnect.com” and “hostedrmm.com.”
  
  
• On-premises users with active maintenance: Upgrade to version 25.2.4 following the upgrade path: 22.8 → 23.3 → 25.2.4.
  
  
• On-premises users without active maintenance: Security patches are available for select older versions dating back to release 23.9. Users are encouraged to renew maintenance and upgrade to the latest version.
  
  

If immediate patching is not feasible, it is recommended to implement temporary mitigations such as restricting access to vulnerable systems, monitoring for unusual activity, and isolating unpatchable systems.

Note: Given the active exploitation of this vulnerability and its potential impact, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.