Critical ScreenConnect Vulnerability Exposes Machine Keys
ConnectWise patched CVE-2026-3564, a critical vulnerability (CVSS 9.0) in ScreenConnect that exposed machine keys used for session authentication due to unencrypted storage in configuration files. The flaw could allow attackers to access cryptographic material, elevate privileges, and compromise servers; version 26.1 adds encrypted storage and management of machine keys.
Summary
ConnectWise patched CVE-2026-3564, a critical vulnerability (CVSS 9.0) in ScreenConnect that exposed machine keys used for session authentication due to unencrypted storage in configuration files. The flaw could allow attackers to access cryptographic material, elevate privileges, and compromise servers; version 26.1 adds encrypted storage and management of machine keys.
Full text
ConnectWise has rolled out a security update for ScreenConnect to improve its handling of machine keys and prevent server compromise. The update addresses CVE-2026-3564 (CVSS score of 9.0), a critical-severity vulnerability that could allow attackers to access cryptographic material used for session authentication. Previously, ScreenConnect stored the unique machine keys within server configuration files, which exposed them to exfiltration in certain scenarios. The latest iteration of the remote monitoring and management solution eliminates the risk by encrypting the cryptographic material. “ScreenConnect version 26.1 introduces enhanced protections for machine key handling, including encrypted storage and management, reducing the risk of unauthorized access in scenarios where server integrity may be compromised,” ConnectWise notes in its advisory. The company assigned a ‘high’ priority rating to CVE-2026-3564, which it typically slaps on bugs “that are either being targeted or have higher risk of being targeted by exploits in the wild.”Advertisement. Scroll to continue reading. In a separate advisory, ConnectWise notes that it is aware of attempts to abuse disclosed ASP.NET machine key material, which is used to sign and validate protected application data. Threat actors could use this cryptographic material to elevate their privileges within ScreenConnect and to access active sessions, which could lead to server compromise. “If the machine key material for a ScreenConnect instance is disclosed, a threat actor may be able to generate or modify protected values in ways that may be accepted by the instance as valid. This can result in unauthorized access and unauthorized actions within ScreenConnect,” the company said. The flaw was allegedly exploited by Chinese state-sponsored hackers for years, but ConnectWise says it has no evidence to validate the claims. “The references in the advisory relate to our ongoing efforts to strengthen the security of ScreenConnect, including hardening measures around the use and management of ASP.NET machine key material. This work is part of a broader initiative to reduce attack surface and enhance product security, informed by continuous internal review and lessons learned from prior industry events,” a ConnectWise spokesperson told SecurityWeek. Users are advised to update to ScreenConnect version 26.1 as soon as possible, to review access controls and restrict access to configuration files and backups, and to monitor logs for unusual activity. Related: Apple Debuts Background Security Improvements With Fresh WebKit Patches Related: Researcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t Patch Related: Chrome 146 Update Patches Two Exploited Zero-Days Related: Apple Updates Legacy iOS Versions to Patch Coruna Exploits Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Raven Emerges From Stealth With $20 Million in Funding‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware VendorsEU Sanctions Chinese, Iranian Firms Supporting Hacking OperationsManifold Raises $8 Million for AI Detection and ResponseApple Debuts Background Security Improvements With Fresh WebKit PatchesTech Giants Invest $12.5 Million in Open Source SecurityRobotic Surgery Giant Intuitive Discloses Cyberattack174 Vulnerabilities Targeted by RondoDox Botnet Latest News Oasis Security Raises $120 Million for Agentic Access Management1stProtect Emerges From Stealth With $20 Million in FundingPrivacy Platform Cloaked Raises $375M to Expand Enterprise ReachIran Readied Cyberattack Capabilities for Response Prior to Epic FuryMarquis Data Breach Affects 672,000 IndividualsSecurity Firm Aura Discloses Data Breach Impacting 900,000 RecordsHacker Conversations: Ben Harris, From Unintentional Young Hacker to Intentional Adult CEORussian APT Exploits Zimbra Vulnerability Against Ukraine Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveSecurityBridge has promoted Holger Hügel to Chief Technology Officer.Armis has appointed Simon Mouyal as Chief Marketing Officer.Omada has named Jakob H. Kraglund as Chief Executive Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- cve — CVE-2026-3564