CVE-2025-3935 is a deserialization vulnerability categorized under CWE-502 affecting ConnectWise ScreenConnect versions prior to 25.2.3. The vulnerability arises from the use of ASP.NET Web Forms ViewState, which preserves page and control state by encoding data in Base64 and protecting it with machine keys. If an attacker gains access to these machine keys—requiring privileged system-level access—they can craft malicious ViewState payloads that, when processed by the server, enable remote code execution (RCE). This vulnerability is not due to a flaw in ScreenConnect itself but is a consequence of the underlying ASP.NET platform's handling of ViewState. The attack vector involves injecting code via the ViewState parameter, which is normally protected cryptographically. ScreenConnect 25.4 mitigates this risk by disabling ViewState usage entirely, removing the attack surface. While no known exploits are currently reported in the wild, the CVSS score of 8.1 reflects the high potential impact if exploited. The vulnerability does not require user interaction or authentication for exploitation once machine keys are compromised, but obtaining those keys is a significant barrier. This vulnerability primarily threatens the server hosting ScreenConnect, potentially allowing attackers to execute arbitrary code, compromise system integrity, and disrupt availability.

For European organizations, the impact of CVE-2025-3935 can be severe. ScreenConnect is widely used by managed service providers (MSPs) and IT departments for remote support and administration. Successful exploitation could lead to full server compromise, enabling attackers to execute arbitrary code, steal sensitive data, or disrupt services. This could result in significant operational downtime, data breaches involving client or internal information, and loss of trust. Given the critical role of remote support tools in business continuity, exploitation could also impact incident response and recovery capabilities. The requirement for privileged access to obtain machine keys somewhat limits the attack scope but does not eliminate risk, especially if attackers gain initial footholds through other means. European data protection regulations such as GDPR impose strict requirements on data security and breach notification, increasing the legal and financial consequences of such compromises. Organizations relying on vulnerable ScreenConnect versions must consider this vulnerability a high priority for remediation to avoid potential cascading impacts on confidentiality, integrity, and availability.

1. Upgrade ScreenConnect to version 25.4 or later, which disables ViewState and removes the vulnerability. 2. Secure machine keys rigorously by restricting access to trusted administrators only and employing hardware security modules (HSMs) or secure key vaults where possible. 3. Implement strict access controls and monitoring on servers hosting ScreenConnect to detect and prevent unauthorized privilege escalation that could expose machine keys. 4. Conduct regular audits of system and application logs to identify anomalous ViewState usage or suspicious activity indicative of attempted exploitation. 5. Employ network segmentation to isolate remote support servers from critical infrastructure and sensitive data stores. 6. Use endpoint detection and response (EDR) tools to monitor for unusual process execution or code injection attempts on ScreenConnect servers. 7. Educate IT and security teams about the risks associated with ViewState deserialization vulnerabilities and ensure timely patch management processes. 8. Consider additional application-layer protections such as Web Application Firewalls (WAFs) configured to detect and block malformed ViewState payloads. 9. Maintain incident response readiness to quickly contain and remediate any detected exploitation attempts.