Full Report
ConnectWise is warning ScreenConnect customers of a cryptographic signature verification vulnerability that could lead to unauthorized access and privilege escalation. [...]
Analysis Summary
# Vulnerability: ConnectWise ScreenConnect Cryptographic Signature Verification Flaw
## CVE Details
- **CVE ID:** CVE-2026-3564
- **CVSS Score:** Critical (Numerical score not explicitly stated, but categorized as "Critical")
- **CWE:** CWE-347 (Improper Verification of Cryptographic Signature) / CWE-522 (Insufficiently Protected Credentials)
## Affected Systems
- **Products:** ConnectWise ScreenConnect (On-premise and Cloud)
- **Versions:** All versions prior to 26.1
- **Configurations:** Self-hosted (on-premises) deployments are at highest risk as they require manual intervention; Cloud-hosted instances are managed by ConnectWise.
## Vulnerability Description
CVE-2026-3564 is a cryptographic signature verification vulnerability involving the ASP.NET machine keys used by ScreenConnect. If an attacker gains access to the machine key material, they can generate or modify protected values (such as authentication cookies or view state) that the server will treat as valid. This allows for the forging of session authentication, leading to unauthorized access and potential privilege escalation within the application.
## Exploitation
- **Status:** Vulnerable in the wild; some reports suggest potential historical abuse, though ConnectWise has not confirmed active exploitation of this specific CVE.
- **Complexity:** Medium (Requires method to extract machine keys or exploit the signature verification flaw).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Access to unauthorized sessions and instance data).
- **Integrity:** High (Ability to modify protected values and perform unauthorized actions).
- **Availability:** Medium (Potential for administrative takeover and system disruption).
## Remediation
### Patches
- **ScreenConnect Version 26.1:** ConnectWise has released this version which includes encrypted storage and improved handling for machine key material.
- **Cloud Users:** Automatically updated by the vendor.
- **On-Premise Users:** Must manually upgrade to version 26.1 immediately.
### Workarounds
- Tighten file-system permissions to restrict access to configuration files and secrets.
- Protect and encrypt backups and old data snapshots that may contain legacy machine keys.
- Keep all ScreenConnect extensions updated to the latest versions.
## Detection
- **Indicators of Compromise:** No specific IoCs (hashes/IPs) provided by the vendor at this time.
- **Detection Methods:**
- Audit ScreenConnect logs for unusual authentication activity or sessions originating from unexpected geographic locations.
- Monitor for unauthorized access to web.config files or relevant registry hives where ASP.NET keys may be stored.
## References
- **ConnectWise Security Bulletin:** hxxps[://]www[.]connectwise[.]com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin
- **ConnectWise Trust Center:** hxxps[://]www[.]connectwise[.]com/company/trust/advisories
- **BleepingComputer Reporting:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/connectwise-patches-new-flaw-allowing-screenconnect-hijacking/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-3564