ConnectWise Releases Security Update for ScreenConnect
Updates address a flaw in ASP.NET Web Forms which could lead to RCE
Summary
Updates address a flaw in ASP.NET Web Forms which could lead to RCE
Affected platforms
The following platforms are known to be affected:
Threat details
Exploitation of CVE-2025-3935
ConnectWise has observed active exploitation of CVE-2025-3935 in the wild on ScreenConnect. The NHS England National CSOC assesses further exploitation as likely.
Introduction
ConnectWise has released a security update addressing a flaw in on-premise ScreenConnect deployments. The flaw is within ASP.Net Web Forms which use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.
An attacker with privileged system access may be able to obtain the machine keys, allowing them to create and send a malicious ViewState to the website, potentially leading to remote code execution (RCE) on the server.
The ScreenConnect update disables ViewState and removes any dependency on it.
Threat updates
| Date | Update |
|---|---|
| 3 Jun 2025 | Updated Exploitation Details for CVE-2025-3935 |
Remediation advice
Affected organisations are encouraged to review ConnectWise advisory screenconnect-security-patch-2025.4 and apply the relevant updates as soon as practicable.
Definitive source of threat updates
Last edited: 3 June 2025 4:17 pm