Critical Remote Session Hijack in ConnectWise ScreenConnect (CVE‑2026‑3564) Threatens MSPs and Enterprises
What It Is — ConnectWise’s ScreenConnect (now ConnectWise Control) contained a critical flaw (CVE‑2026‑3564) that allowed unauthenticated attackers to forge ASP.NET machine‑key signatures and hijack active remote‑access sessions.
Exploitability — The vulnerability is remotely exploitable without user interaction; proof‑of‑concept code has been published, and researchers have observed attempts to abuse the disclosed machine‑key material. No confirmed wild‑fire exploitation has been reported yet. CVSS v3.1 base score: 9.8 (Critical).
Affected Products — All on‑premises and self‑hosted versions of ScreenConnect prior to version 26.1 (including the cloud‑hosted offering).
TPRM Impact — MSPs, IT service desks, and any third‑party that relies on ScreenConnect to manage client devices could become a conduit for lateral movement, data exfiltration, or ransomware deployment across multiple customer environments.
Recommended Actions —
- Deploy ScreenConnect v26.1 or later immediately.
- Verify that on‑premises instances have regenerated machine keys via the new admin UI.
- Audit logs for anomalous authentication events or unexpected admin actions.
- Harden server‑level permissions: restrict access to configuration files, backups, and exported archives to a minimal set of trusted accounts.
- Enforce use of only vetted extensions and keep the underlying ASP.NET framework patched.
Source: Help Net Security – Unpatched ScreenConnect servers open to attack (CVE‑2026‑3564)