Critical Vulnerability (CVE‑2026‑3564) in ConnectWise ScreenConnect Allows Session Hijacking
What Happened — ConnectWise disclosed a cryptographic signature verification flaw (CVE‑2026‑3564) in ScreenConnect versions < 26.1 that lets an attacker extract ASP.NET machine keys and forge authenticated sessions. The vulnerability received a critical severity rating and has been observed being probed in the wild.
Why It Matters for TPRM —
- Remote‑access tools are a common attack surface for supply‑chain and privilege‑escalation threats.
- Exploitation could give adversaries unfettered access to client environments managed by MSPs and internal IT teams.
- Unpatched on‑premise deployments remain vulnerable, exposing third‑party risk for organizations that rely on ScreenConnect.
Who Is Affected — Managed Service Providers, corporate IT departments, and support teams across all verticals that run ScreenConnect (cloud‑hosted or on‑premise).
Recommended Actions —
- Verify that all ScreenConnect instances are running version 26.1 or later.
- For on‑premise deployments, prioritize the upgrade and enforce encrypted storage of machine keys.
- Review access controls on configuration files, monitor authentication logs for anomalies, and ensure extensions are up‑to‑date.
Technical Notes — The flaw stems from inadequate verification of cryptographic signatures, allowing extraction of ASP.NET machine keys used for session authentication. No public IoCs have been released, but researchers have observed attempts to abuse disclosed key material. Source: BleepingComputer