About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
CVSS Score: 8.1 (High)
Identifier: CVE-2025-3935
Exploit or POC: Yes – Publicly available
Update: CVE-2025-3935 – ConnectWise Security Advisory
Description: CVE-2025-3935 is a high-severity vulnerability affecting ConnectWise ScreenConnect versions 25.2.3 and earlier. The flaw arises from the use of ASP.NET Web Forms' ViewState mechanism, which preserves page and control state information. ViewState data is encoded using Base64 and protected by machine keys. If an attacker obtains these machine keys, requiring privileged system-level access, they can craft and send malicious ViewState data to the server, potentially leading to remote code execution. This vulnerability has been actively exploited in the wild, including in attacks attributed to suspected nation-state actors targeting a limited number of ScreenConnect customers.
Affected Versions:Mitigation Recommendation: ConnectWise has released ScreenConnect version 25.2.4, which addresses this vulnerability by disabling ViewState and removing its dependency.
If immediate patching is not feasible, it is recommended to implement temporary mitigations such as restricting access to vulnerable systems, monitoring for unusual activity, and isolating unpatchable systems.
Note: Given the active exploitation of this vulnerability and its potential impact, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.