ConnectWise patches new flaw allowing ScreenConnect hijacking

Summary

ConnectWise released a patch for CVE-2026-3564, a critical cryptographic signature verification vulnerability in ScreenConnect that allows attackers to extract ASP.NET machine keys and achieve unauthorized access and privilege escalation. The flaw affects versions before 26.1, and while no confirmed active exploitation has been observed by ConnectWise, researchers have reported attempts to abuse disclosed machine key material in the wild. On-premises administrators must upgrade immediately, while cloud users have been automatically patched.

Full text

ConnectWise patches new flaw allowing ScreenConnect hijacking By Bill Toulas March 18, 2026 02:10 PM 0 ConnectWise is warning ScreenConnect customers of a cryptographic signature verification vulnerability that could lead to unauthorized access and privilege escalation. The flaw affects ScreenConnect versions before 26.1. It is tracked as CVE-2026-3564 and received a critical severity score. ScreenConnect is a remote access platform typically used by managed service providers (MSPs), IT departments, and support teams. It can be either cloud-hosted by ConnectWise or on-premise on the customer's server. An attacker could exploit the security issue to extract and use the ASP.NET machine keys for unauthorized session authentication. “If the machine key material for a ScreenConnect instance is disclosed, a threat actor may be able to generate or modify protected values in ways that may be accepted by the instance as valid,” reads the vendor’s advisory. “This can result in unauthorized access and unauthorized actions within ScreenConnect.” The vendor addressed this by adding stronger protection for machine keys, including encrypted storage and improved handling starting ScreenConnect version 26.1. Cloud users have been automatically moved to the safe version, but system administrators managing on-premises deployments must upgrade to version 26.1 as soon as possible. ConnectWise also stated that researchers observed attempts to abuse disclosed ASP.NET machine key material in the wild, so the risk from CVE-2026-3564 is tangible right now. However, the vendor told BleepingComputer that it has no evidence of active exploitation in the wild as of writing, and therefore has no indicators of compromise (IoCs) to share with defenders. “We do not have evidence that this specific vulnerability (CVE-2026-3564) was exploited in ConnectWise-hosted ScreenConnect, so we do not have any confirmed IOCs to share,” stated ConnectWise to BleepingComputer. “We encourage any researchers who believe they have identified active exploitation to engage in responsible disclosure so findings can be validated and addressed appropriately.” However, there are claims that the issue has been actively exploited by Chinese hackers for years, but it is unclear if the same security flaw was leveraged. There have been in the past attacks from nation-state hackers that exploited CVE-2025-3935 to steal the secret machine keys used by a ScreenConnect server. Apart from upgrading to ScreenConnect version 26.1, the software vendor also recommends tightening access to configuration files and secrets, checking logs for unusual authentication activity, protecting backups and old data snapshots, and keeping extensions up to date. Red Report 2026: Why Ransomware Encryption Dropped 38% Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded. Download The Report Related Articles: WordPress membership plugin bug exploited to create admin accountsCisco bugs allow creating admin accounts, executing commands as rootACF plugin bug gives hackers admin on 50,000 WordPress sitesUK’s Companies House confirms security flaw exposed business dataVeeam warns of critical flaws exposing backup servers to RCE attacks

Indicators of Compromise

• cve — CVE-2026-3564
• cve — CVE-2025-3935