ConnectWise is warning ScreenConnect customers of a cryptographic signature verification vulnerability that could lead to unauthorized access and privilege escalation.
The flaw affects ScreenConnect versions before 26.1. It is tracked as CVE-2026-3564 and received a critical severity score.
ScreenConnect is a remote access platform typically used by managed service providers (MSPs), IT departments, and support teams. It can be either cloud-hosted by ConnectWise or on-premise on the customer’s server.
An attacker could exploit the security issue to extract and use the ASP.NET machine keys for unauthorized session authentication.
“If the machine key material for a ScreenConnect instance is disclosed, a threat actor may be able to generate or modify protected values in ways that may be accepted by the instance as valid,” reads the vendor’s advisory.
“This can result in unauthorized access and unauthorized actions within ScreenConnect.”
The vendor addressed this by adding stronger protection for machine keys, including encrypted storage and improved handling starting ScreenConnect version 26.1.
Cloud users have been automatically moved to the safe version, but system administrators managing on-premises deployments must upgrade to version 26.1 as soon as possible.
ConnectWise also stated that researchers observed attempts to abuse disclosed ASP.NET machine key material in the wild, so the risk from CVE-2026-3564 is tangible right now.
However, the vendor told BleepingComputer that it has no evidence of active exploitation in the wild as of writing, and therefore has no indicators of compromise (IoCs) to share with defenders.
“We do not have evidence that this specific vulnerability (CVE-2026-3564) was exploited in ConnectWise-hosted ScreenConnect, so we do not have any confirmed IOCs to share,” stated ConnectWise to BleepingComputer.
“We encourage any researchers who believe they have identified active exploitation to engage in responsible disclosure so findings can be validated and addressed appropriately.”
However, there are claims that the issue has been actively exploited by Chinese hackers for years, but it is unclear if the same security flaw was leveraged.
There have been in the past attacks from nation-state hackers that exploited CVE-2025-3935 to steal the secret machine keys used by a ScreenConnect server.
Apart from upgrading to ScreenConnect version 26.1, the software vendor also recommends tightening access to configuration files and secrets, checking logs for unusual authentication activity, protecting backups and old data snapshots, and keeping extensions up to date.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
