ConnectWise has disclosed and patched CVE-2026-3564, a critical vulnerability in its ScreenConnect remote access platform that allows unauthenticated attackers to extract server-level machine keys and forge trusted session authentication. With a CVSS score of 9.0 and a history of ScreenConnect flaws being weaponised within hours of disclosure, every organisation running an on-premises instance needs to treat this as an emergency — not a scheduled maintenance item.
Cloud-hosted ScreenConnect instances have already been patched automatically. On-premises deployments — the ones most commonly managed by MSPs and internal IT teams, and the ones most likely to be forgotten — have not. If the pattern from previous ScreenConnect vulnerabilities holds, the exploitation window is already open.
What CVE-2026-3564 Actually Does
The vulnerability, classified under CWE-347 (Improper Verification of Cryptographic Signature), stems from how ScreenConnect stored its ASP.NET machine keys. Prior to version 26.1, each ScreenConnect instance generated unique machine keys and stored them in plaintext within server configuration files. Under certain conditions — misconfigured access controls, adjacent vulnerabilities, or compromised server integrity — an attacker could extract this cryptographic material without authentication.
Machine keys are the foundation of ASP.NET's ViewState protection mechanism. They sign and encrypt the serialised data that the framework passes between server and client. When an attacker possesses valid machine keys, they can craft and sign their own ViewState payloads that the application will treat as legitimate. The consequences are severe:
- Session forgery: The attacker can generate authentication tokens that the server accepts as trusted, granting access to active ScreenConnect sessions without valid credentials.
- Privilege escalation: Forged sessions can be constructed with elevated permissions, providing administrative control over the ScreenConnect instance.
- Remote code execution: Through ViewState deserialisation, a crafted payload can execute arbitrary code on the server — the same attack class that Microsoft flagged in February 2025 when it identified over 3,000 publicly disclosed ASP.NET machine keys being actively abused across the internet.
ConnectWise's advisory states the attack complexity is high (the CVSS vector specifies AC:H), meaning exploitation requires specific conditions beyond simply reaching the server. But "high complexity" in a CVSS vector has never stopped motivated attackers, and the potential impact — confidentiality, integrity, and availability all rated high, with a changed scope — makes this worth pursuing for any threat actor with the patience to attempt it.
Why This Matters More Than the CVSS Score Suggests
ScreenConnect is not an obscure application running on a handful of servers. It is one of the most widely deployed remote monitoring and management (RMM) tools in the managed services ecosystem, with ConnectWise commanding approximately 27% market share in the MSP software space. When the Shadowserver Foundation scanned for publicly exposed ScreenConnect instances during the CVE-2024-1709 crisis in February 2024, it found over 8,200 servers directly accessible from the internet. Shodan corroborated similar numbers, with only 980 running the patched version at the time.
The attack surface is not just the ScreenConnect server itself. Each server typically manages remote access to dozens or hundreds of endpoint machines across client organisations. Compromising a single ScreenConnect instance can provide an attacker with a ready-made tunnel into every machine connected to it — a supply chain attack delivered through legitimate infrastructure.
The CVE-2024-1709 Precedent
We do not need to speculate about how this plays out. CVE-2024-1709, disclosed in February 2024 with the maximum possible CVSS score of 10, was an authentication bypass that allowed attackers to create administrative accounts on any exposed ScreenConnect server. The exploitation timeline was brutal:
- Within 72 hours of disclosure, LockBit, Play, Black Basta, and Conti ransomware operators were actively exploiting the flaw.
- Sophos X-Ops tracked attacks where the same ransomware payload appeared across more than 30 different customer networks — clear evidence of mass exploitation through compromised ScreenConnect servers.
- A week after the patch was released, 3,800 instances remained vulnerable.
- By May 2025, ConnectWise disclosed that its own network had been breached in an attack linked to nation-state actors, affecting a small number of ScreenConnect customers.
And CVE-2024-1709 was not the last. ConnectWise disclosed CVE-2025-3935, another high-severity authentication vulnerability — this time a ViewState code-injection flaw — affecting versions 25.2.3 and earlier. Multiple threat groups exploited it in the wild.
CVE-2026-3564 is the third critical ScreenConnect vulnerability in two years. The pattern is unmistakable: ScreenConnect is a high-value target, and threat actors are watching ConnectWise advisories as closely as defenders are.
RMM Tools: The Quiet Catastrophe
ScreenConnect's vulnerability sits within a broader crisis in the RMM ecosystem that has accelerated dramatically. The Huntress 2026 Cyber Threat Report recorded a staggering 277% increase in RMM abuse during 2025, with RMM exploitation accounting for 24% of all observed security incidents.
The numbers tell a story of systemic risk:
| Statistic | Source |
|---|---|
| 59.4% of ransomware cases began with external remote access (including RMM) | Arctic Wolf 2025 Threat Report |
| 51 RMM solutions flagged as attack targets in 2025 | Microsoft Defender Experts |
| 36% of incident response cases involved malicious RMM tool usage | Arctic Wolf |
| 32 different RMM tools observed being abused by threat actors | Arctic Wolf |
| Ransomware damage via abused RMM tools unfolds in 1–2 hours | Huntress |
| Average eCrime breakout time dropped to 29 minutes in 2025 | CrowdStrike |
The reason RMM tools are so attractive to attackers is precisely what makes them valuable to IT teams: they provide authenticated, persistent, administrative access to endpoint machines, and their traffic is typically trusted by firewalls and EDR solutions. A compromised RMM server does not need to deploy malware. It already is the access mechanism.
Microsoft Defender Experts specifically called out ConnectWise ScreenConnect alongside BeyondTrust Remote Support and SimpleHelp as RMM platforms where zero-day exploitation was observed during 2024 and early 2025. The trend is not slowing.
The ASP.NET Machine Key Problem
CVE-2026-3564 is not an isolated design mistake. It belongs to a well-documented class of vulnerabilities that the security community has been warning about for years.
In February 2025, Microsoft Threat Intelligence published research identifying over 3,000 publicly disclosed ASP.NET machine keys — keys that had been committed to public repositories, included in documentation samples, or shipped in default configurations. Attackers were already using these keys to conduct ViewState code injection attacks, achieving remote code execution on servers that trusted the forged payloads.
The attack chain is straightforward: obtain the machine key, craft a serialised ViewState payload containing arbitrary code, sign it with the stolen key, and send it to the server. The ASP.NET runtime decrypts it, validates the signature successfully, deserialises the payload, and executes the embedded code in the worker process. From the server's perspective, everything looks legitimate.
This same technique was exploited in CVE-2025-53690 (Sitecore, CVSS 9.0), where Mandiant discovered attackers leveraging a sample machine key that had been published in Sitecore deployment guides since 2017. CISA added the related SharePoint deserialisation vulnerability CVE-2026-20963 to its Known Exploited Vulnerabilities catalogue on 18 March 2026 — one day after ConnectWise published its own advisory.
The convergence is not coincidental. ASP.NET ViewState deserialisation is a proven, reliable attack vector. Any application that stores its machine keys in an extractable location is handing attackers the means to exploit it.
What Organisations Should Do Now
1. Patch Immediately
Upgrade all on-premises ScreenConnect instances to version 26.1. This is non-negotiable. Version 26.1 implements encrypted storage and management of machine keys, eliminating the plaintext extraction vector.
If your maintenance licence has expired, you will need to renew before upgrading. Do it today — the cost of licence renewal is trivial compared to the cost of a ransomware incident cascading through your managed endpoints.
2. Rotate Machine Keys Post-Upgrade
Patching closes the extraction vector, but it does not invalidate keys that may have already been compromised. If there is any possibility that an attacker accessed your server configuration files before the upgrade, assume the old machine keys are burned. Regenerate them after upgrading to 26.1.
3. Audit Network Exposure
ScreenConnect servers should not be directly exposed to the internet without access controls. Verify that your instances are behind a VPN or zero-trust access gateway. If Shadowserver or Shodan can see your ScreenConnect login page, so can every threat actor running automated scans.
4. Monitor for Anomalous Sessions
Review active and recent ScreenConnect sessions for any that cannot be attributed to legitimate administrative activity. Pay particular attention to sessions initiated outside normal working hours, from unfamiliar IP addresses, or targeting machines that would not ordinarily be accessed remotely.
5. Assume the Worst About Your RMM Stack
If you are running ScreenConnect, audit your entire RMM deployment. What other remote access tools are present in your environment? Are any running outdated versions? Are any exposed to the internet without MFA? The 277% surge in RMM abuse means that attackers are systematically probing every tool in this category, not just ScreenConnect.
The Bigger Picture
ConnectWise stated that it has no evidence of active exploitation of CVE-2026-3564 in the wild as of the advisory date. That is a narrow comfort. They said something similar before CVE-2024-1709 was weaponised within three days.
The uncomfortable reality is that the MSP ecosystem's dependency on RMM tools has created a concentration of risk that attackers understand intimately. A single vulnerable ScreenConnect server is not one compromised machine — it is a bridge into every organisation that server manages. When 59.4% of ransomware cases begin with external remote access, and when breakout times have collapsed to 29 minutes, the margin for delayed patching has evaporated entirely.
The organisations that survive this era will be the ones that treat their RMM infrastructure with the same paranoia they apply to their domain controllers: patched within hours, monitored continuously, and never — under any circumstances — left exposed on the internet with default configurations and plaintext cryptographic material.
Key Takeaways
- CVE-2026-3564 (CVSS 9.0) allows unauthenticated attackers to extract ASP.NET machine keys from ScreenConnect servers running versions prior to 26.1, enabling session forgery, privilege escalation, and potential remote code execution via ViewState deserialisation.
- This is the third critical ScreenConnect vulnerability in two years — CVE-2024-1709 was exploited by ransomware gangs within 72 hours of disclosure, and CVE-2025-3935 was actively exploited in the wild, establishing a clear pattern of rapid weaponisation.
- RMM tool abuse surged 277% in 2025, accounting for 24% of all security incidents, with 59.4% of ransomware cases beginning through external remote access — making unpatched ScreenConnect servers prime targets.
- Cloud instances are already patched; on-premises deployments are not — administrators must manually upgrade to version 26.1 immediately and rotate machine keys if prior compromise cannot be ruled out.
- ASP.NET machine key attacks are a proven, well-understood exploitation technique — Microsoft identified over 3,000 publicly disclosed keys being abused in the wild, and CISA added a related ViewState deserialisation CVE to its Known Exploited Vulnerabilities catalogue on 18 March 2026.
Sources:
- ConnectWise Security Bulletin — 17 March 2026
- BleepingComputer: ConnectWise patches new flaw allowing ScreenConnect hijacking
- SecurityWeek: Critical ScreenConnect Vulnerability Exposes Machine Keys
- Cyber Security News: ScreenConnect Vulnerability Allows Hackers to Extract Machine Keys
- Microsoft: Code injection attacks using publicly disclosed ASP.NET machine keys
- Huntress 2026 Cyber Threat Report — RMM abuse statistics
- Arctic Wolf 2025 Threat Report
- CrowdStrike 2026 Global Threat Report
- SC Media: ConnectWise ScreenConnect bug used in Play ransomware breach
- Sophos: Widespread Exploitation of ConnectWise ScreenConnect Server Vulnerabilities
