CVE-2025-3935 is a high-severity vulnerability affecting ConnectWise ScreenConnect versions 25.2.3 and earlier. The issue stems from improper authentication related to the use of ASP.NET Web Forms ViewState, which is a mechanism to preserve page and control state between postbacks. ViewState data is Base64 encoded and cryptographically protected using machine keys unique to the server environment. The vulnerability arises if an attacker can obtain these machine keys, which requires privileged system-level access. With the machine keys compromised, an attacker can craft malicious ViewState payloads and send them to the ScreenConnect web application, potentially leading to remote code execution (RCE) on the server hosting ScreenConnect. This vulnerability is not due to a flaw in ScreenConnect itself but rather due to the underlying ASP.NET platform behavior and the reliance on ViewState for state management. The ScreenConnect 2025.4 patch mitigates this risk by disabling ViewState entirely and removing any dependency on it, thereby eliminating the attack vector. The CVSS 3.1 score of 8.1 reflects the high impact on confidentiality, integrity, and availability, with network attack vector but requiring high attack complexity and no privileges or user interaction. No known exploits are currently reported in the wild, but the potential for severe damage exists if exploited.

For European organizations using vulnerable versions of ConnectWise ScreenConnect, the impact could be significant. ScreenConnect is widely used for remote support and IT management, meaning a successful exploit could allow attackers to execute arbitrary code on critical servers, leading to full system compromise. This could result in data breaches, disruption of IT services, unauthorized access to sensitive systems, and potential lateral movement within corporate networks. Given the central role of remote support tools in IT operations, exploitation could severely affect business continuity and data confidentiality. Additionally, organizations in regulated sectors such as finance, healthcare, and critical infrastructure in Europe could face compliance violations and reputational damage. The requirement for privileged access to obtain machine keys somewhat limits the attack surface but does not eliminate risk, especially if attackers gain initial footholds through other means. The removal of ViewState dependency in the patched version reduces future risk, but organizations running unpatched versions remain vulnerable.

European organizations should prioritize upgrading ConnectWise ScreenConnect to version 25.4 or later, which disables ViewState and removes the vulnerability. Until patching is complete, organizations should implement strict access controls and monitoring on servers hosting ScreenConnect to prevent unauthorized privileged access that could expose machine keys. Employing host-based intrusion detection and integrity monitoring can help detect suspicious activities indicative of key compromise. Network segmentation should isolate ScreenConnect servers from less trusted network zones to reduce exposure. Additionally, organizations should review and harden ASP.NET machine key management practices, ensuring keys are securely stored and rotated regularly. Logging and alerting on abnormal ViewState payloads or unexpected server behaviors can provide early detection of exploitation attempts. Finally, conducting regular security audits and penetration testing focused on remote support infrastructure will help identify and remediate weaknesses proactively.