6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-3564 is a critical authentication bypass vulnerability in ConnectWise ScreenConnect caused by improper handling of server-level cryptographic material used for authentication. An attacker who obtains access to sensitive cryptographic data, such as ASP.NET machine keys, can forge or manipulate authentication tokens that are trusted by the system. Successful exploitation may allow unauthorized access to ScreenConnect instances and enable attackers to perform actions with elevated privileges, potentially compromising remote access infrastructure.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Authentication Bypass Vulnerability in ConnectWise ScreenConnect
CVSS Score: 9.0 (Critical, CVSS v3.1)
Identifier: CVE-2026-3564
PoC or Exploitation:
There are no confirmed reports of active exploitation in the wild and no publicly available proof-of-concept exploit code.
Update/ Patch:
ConnectWise has released a security update addressing this vulnerability.
Affected versions include:
ScreenConnect versions prior to 26.1
Fixed version:
ScreenConnect 26.1 and later
Cloud-hosted ScreenConnect instances have been automatically updated. On-premise deployments must be manually upgraded to version 26.1 or later.
Vendor advisory and patch guidance:
Description:
CVE-2026-3564 is an authentication bypass vulnerability affecting ConnectWise ScreenConnect. The issue stems from improper handling and verification of server-level cryptographic material used for authentication.
An attacker who gains access to this cryptographic material, such as ASP.NET machine keys, could generate or manipulate authentication tokens that are accepted as valid by the system. This could allow unauthorized access to ScreenConnect instances and enable attackers to perform actions with elevated privileges.
Mitigation Recommendation:
Immediately upgrade ConnectWise ScreenConnect to version 26.1 or later.
Restrict access to server configuration files and cryptographic material, including machine keys.
Rotate any potentially exposed cryptographic keys and authentication material.
Limit access to ScreenConnect management interfaces to trusted networks and administrative systems only.
