CP
cyberpings
VulnerabilitiesHIGH

Vulnerabilities - Unpatched ScreenConnect Servers Open to Attack

HNHelp Net Security
CVE-2026-3564ScreenConnectConnectWiseASP.NET
🎯

Basically, a flaw in ScreenConnect lets hackers take over remote sessions.

Quick Summary

ConnectWise has patched a critical vulnerability in ScreenConnect that allows session hijacking. Organizations using this remote access tool must upgrade to protect sensitive data. Immediate action is essential to prevent exploitation.

The Flaw

ConnectWise has revealed a critical vulnerability identified as CVE-2026-3564 in its popular ScreenConnect remote access platform. This flaw arises from improper verification of cryptographic signatures, allowing attackers to exploit it remotely. The vulnerability affects all versions of ScreenConnect prior to version 26.1. Attackers can hijack sessions without needing any user interaction, making it a serious threat.

The root cause lies in how ScreenConnect stored unique ASP.NET machine keys in server configuration files. Under certain conditions, unauthorized actors could extract these keys and misuse them for session authentication. This means that once they hijack a session, they can perform unauthorized actions within the instance, including accessing employee computers and installing malware.

What's at Risk

Organizations using ScreenConnect, especially managed service providers and IT departments, are at significant risk. The ability for attackers to open remote sessions and execute commands poses a severe threat to sensitive data and operational integrity. Without proper updates, many organizations remain vulnerable to exploitation.

ConnectWise has implemented enhanced protections in ScreenConnect version 26.1, which includes encrypted storage and management of machine keys. This update significantly reduces the risk of unauthorized access, especially in scenarios where server integrity may be compromised. However, those using older versions must act quickly to mitigate potential threats.

Patch Status

ConnectWise released ScreenConnect version 26.1 last week, addressing the vulnerabilities associated with CVE-2026-3564. The company has updated the server instances it hosts in its cloud. However, customers with on-premises or self-hosted instances are strongly urged to upgrade as soon as possible.

Despite the patch, security researchers have observed attempts to exploit the disclosed ASP.NET machine key material. While ConnectWise has not confirmed any successful exploitation in its hosted version, the potential for attacks remains high. Organizations must remain vigilant and check for signs of prior compromise in their ScreenConnect logs.

Immediate Actions

To protect against this vulnerability, organizations should take several immediate actions. First, they should review instance-level and server-level access controls to restrict access to sensitive application configurations. Limiting access to backups and exported configuration archives is also crucial.

Additionally, organizations should ensure that they are using only trusted and supported extensions and regularly updating them. Monitoring for unusual authentication activity or unexpected administrative actions in the ScreenConnect logs can help identify potential breaches early. By taking these steps, organizations can safeguard their remote access capabilities and mitigate the risks associated with CVE-2026-3564.

🔒 Pro insight: The exploitation of CVE-2026-3564 highlights the need for stringent management of cryptographic keys in remote access tools.

Original article from

Help Net Security · Zeljka Zorz

Read Full Article

Share

Related Pings

CRITICALVulnerabilities

Langflow Vulnerability - Critical Bug Exploited in Hours

A critical vulnerability in Langflow was exploited within 20 hours of its disclosure. Attackers executed arbitrary code without needing authentication, putting sensitive data at risk. Organizations must act quickly to secure their systems and protect against potential breaches.

Infosecurity Magazine·
HIGHVulnerabilities

Bamboo Data Center - High-Risk Remote Code Execution Flaw

A critical vulnerability in Bamboo Data Center allows attackers to execute remote code, threatening software development processes. Immediate patching is essential to secure your systems and prevent exploitation.

Cyber Security News·
CRITICALVulnerabilities

Critical Langflow Vulnerability - Exploited Within Hours

A critical vulnerability in Langflow has been exploited just hours after it was disclosed. This flaw allows attackers to execute code without authentication, risking sensitive data. Organizations must act quickly to patch and secure their systems.

SecurityWeek·
HIGHVulnerabilities

Apex - AI-Powered Pentester Discovers Vulnerabilities Rapidly

Apex, an AI-powered penetration testing tool, is revolutionizing vulnerability detection in applications. It operates without needing source code, targeting modern software development's rapid pace. With impressive results, Apex uncovers critical security flaws, ensuring businesses stay ahead of threats.

Cyber Security News·
MEDIUMVulnerabilities

Windows 11 Update - Sign-In Issues for Teams and OneDrive

Microsoft's latest Windows 11 update causes sign-in issues for Teams and OneDrive. Users face misleading connectivity errors, disrupting productivity. Microsoft is working on a fix.

BleepingComputer·
HIGHVulnerabilities

Vulnerabilities in Older iPhones - Apple Issues Urgent Update

Apple warns that older iPhones are vulnerable to attacks from Coruna and DarkSword exploit kits. Users are urged to update their iOS to safeguard sensitive data. Ignoring this advice could lead to serious security breaches.

The Hacker News·