CVE-2025-3935: CWE-502 Deserialization of Untrusted Data in ConnectWise ScreenConnect
ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.
AI Analysis
Technical Summary
CVE-2025-3935 is a vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting ConnectWise ScreenConnect versions prior to 25.2.3. The issue arises from the use of ASP.NET Web Forms ViewState, which preserves page and control state by encoding data in Base64 and protecting it with machine keys. If an attacker gains privileged system-level access to obtain these machine keys, they can craft malicious ViewState payloads that, when deserialized by the server, can lead to remote code execution (RCE). This vulnerability is not due to a direct coding error in ScreenConnect but rather a consequence of the underlying ASP.NET platform's handling of ViewState. The attack vector requires no user interaction but does require high attack complexity because obtaining machine keys demands elevated privileges. ScreenConnect 25.4 addresses this by disabling ViewState usage, thereby removing the attack surface. The CVSS v3.1 score of 8.1 reflects the high confidentiality, integrity, and availability impact if exploited, balanced by the difficulty of exploitation. No known active exploits have been reported, but the potential for severe impact warrants immediate attention. Organizations running affected versions should upgrade to 25.4 or later and review system privilege management to prevent unauthorized access to machine keys.
Potential Impact
If exploited, this vulnerability could allow attackers to execute arbitrary code remotely on servers running vulnerable ScreenConnect versions, leading to full compromise of the affected system. This could result in unauthorized access to sensitive data, disruption of remote support services, and potential lateral movement within enterprise networks. The confidentiality, integrity, and availability of systems and data could be severely impacted. Given ScreenConnect's role in remote support and IT management, exploitation could disrupt critical business operations and expose organizations to further attacks. The requirement for privileged access to obtain machine keys limits the ease of exploitation but does not eliminate risk, especially in environments with weak privilege management or insider threats. The vulnerability does not affect the ScreenConnect client directly but targets the server-side infrastructure, making server hardening and patching critical. Organizations relying heavily on ScreenConnect for remote administration are at heightened risk of operational disruption and data breaches if this vulnerability is exploited.
Mitigation Recommendations
Organizations should immediately upgrade ConnectWise ScreenConnect to version 25.4 or later, which disables ViewState and removes the dependency that enables this attack vector. In addition, strict privilege management policies must be enforced to prevent unauthorized access to system-level credentials and machine keys. Regular audits of system access and privilege escalation attempts should be conducted. Network segmentation and application whitelisting can limit exposure of ScreenConnect servers to untrusted networks. Monitoring for unusual ViewState payloads or abnormal server behavior can help detect exploitation attempts. If upgrading is not immediately possible, disabling ASP.NET ViewState manually or applying custom patches to restrict ViewState usage can reduce risk. Backup and recovery plans should be tested to ensure rapid restoration in case of compromise. Finally, organizations should stay informed about any emerging exploits or patches related to this vulnerability.
Affected Countries
United States, Canada, United Kingdom, Germany, Australia, France, Japan, South Korea, India, Brazil
CVE-2025-3935: CWE-502 Deserialization of Untrusted Data in ConnectWise ScreenConnect
Description
ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-3935 is a vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting ConnectWise ScreenConnect versions prior to 25.2.3. The issue arises from the use of ASP.NET Web Forms ViewState, which preserves page and control state by encoding data in Base64 and protecting it with machine keys. If an attacker gains privileged system-level access to obtain these machine keys, they can craft malicious ViewState payloads that, when deserialized by the server, can lead to remote code execution (RCE). This vulnerability is not due to a direct coding error in ScreenConnect but rather a consequence of the underlying ASP.NET platform's handling of ViewState. The attack vector requires no user interaction but does require high attack complexity because obtaining machine keys demands elevated privileges. ScreenConnect 25.4 addresses this by disabling ViewState usage, thereby removing the attack surface. The CVSS v3.1 score of 8.1 reflects the high confidentiality, integrity, and availability impact if exploited, balanced by the difficulty of exploitation. No known active exploits have been reported, but the potential for severe impact warrants immediate attention. Organizations running affected versions should upgrade to 25.4 or later and review system privilege management to prevent unauthorized access to machine keys.
Potential Impact
If exploited, this vulnerability could allow attackers to execute arbitrary code remotely on servers running vulnerable ScreenConnect versions, leading to full compromise of the affected system. This could result in unauthorized access to sensitive data, disruption of remote support services, and potential lateral movement within enterprise networks. The confidentiality, integrity, and availability of systems and data could be severely impacted. Given ScreenConnect's role in remote support and IT management, exploitation could disrupt critical business operations and expose organizations to further attacks. The requirement for privileged access to obtain machine keys limits the ease of exploitation but does not eliminate risk, especially in environments with weak privilege management or insider threats. The vulnerability does not affect the ScreenConnect client directly but targets the server-side infrastructure, making server hardening and patching critical. Organizations relying heavily on ScreenConnect for remote administration are at heightened risk of operational disruption and data breaches if this vulnerability is exploited.
Mitigation Recommendations
Organizations should immediately upgrade ConnectWise ScreenConnect to version 25.4 or later, which disables ViewState and removes the dependency that enables this attack vector. In addition, strict privilege management policies must be enforced to prevent unauthorized access to system-level credentials and machine keys. Regular audits of system access and privilege escalation attempts should be conducted. Network segmentation and application whitelisting can limit exposure of ScreenConnect servers to untrusted networks. Monitoring for unusual ViewState payloads or abnormal server behavior can help detect exploitation attempts. If upgrading is not immediately possible, disabling ASP.NET ViewState manually or applying custom patches to restrict ViewState usage can reduce risk. Backup and recovery plans should be tested to ensure rapid restoration in case of compromise. Finally, organizations should stay informed about any emerging exploits or patches related to this vulnerability.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- ConnectWise
- Date Reserved
- 2025-04-25T14:32:25.365Z
- Cisa Enriched
- true
Threat ID: 682d983ec4522896dcbeff58
Added to database: 5/21/2025, 9:09:18 AM
Last enriched: 2/26/2026, 9:30:50 PM
Last updated: 3/22/2026, 11:13:59 AM
Views: 80
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.