CVE-2025-3935 is a high-severity vulnerability affecting ConnectWise ScreenConnect versions 25.2.3 and earlier. The vulnerability arises from the use of ASP.NET Web Forms ViewState, a mechanism that preserves page and control state by encoding data in Base64 and protecting it with machine keys. The core issue is a deserialization of untrusted data (CWE-502) vulnerability, where if an attacker obtains the machine keys—requiring privileged system-level access—they can craft malicious ViewState payloads. These payloads can be sent to the vulnerable ScreenConnect web interface, potentially leading to remote code execution (RCE) on the server hosting the application. Notably, the vulnerability is not due to a flaw in ScreenConnect itself but rather stems from the underlying ASP.NET platform behavior. The ScreenConnect client is unaffected by this issue. The vendor addressed the vulnerability in ScreenConnect version 2025.4 by disabling ViewState entirely and removing any dependency on it, thus mitigating the risk. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability, with network attack vector but requiring high attack complexity and no privileges or user interaction. No known exploits are currently reported in the wild.

For European organizations using vulnerable versions of ConnectWise ScreenConnect, this vulnerability poses a significant risk. Successful exploitation could allow attackers to execute arbitrary code on the server, leading to full system compromise. This could result in unauthorized access to sensitive data, disruption of remote support services, and potential lateral movement within corporate networks. Given ScreenConnect's role in remote IT support and management, attackers could leverage this to gain persistent footholds or disrupt critical IT operations. The requirement for prior privileged access to obtain machine keys somewhat limits the attack surface but does not eliminate risk, especially if internal threats or other vulnerabilities exist that could lead to privilege escalation. The impact is particularly severe for organizations relying heavily on ScreenConnect for remote administration, including managed service providers and enterprises with distributed IT infrastructure across Europe.

European organizations should urgently upgrade ConnectWise ScreenConnect to version 2025.4 or later, where ViewState is disabled and the vulnerability is mitigated. Until patching is complete, organizations should implement strict access controls to limit privileged system-level access, thereby reducing the risk of machine key compromise. Monitoring and auditing of privileged account activities should be enhanced to detect any unauthorized access attempts. Network segmentation should be employed to isolate ScreenConnect servers from less trusted network zones. Additionally, organizations can consider disabling or restricting access to the ScreenConnect web interface from untrusted networks and enforce multi-factor authentication for administrative access. Regular backups and incident response plans should be reviewed and tested to prepare for potential exploitation scenarios. Finally, applying ASP.NET security best practices, such as using custom machine keys with strong entropy and rotating them periodically, can further reduce risk.