CVE-2025-3935

What is ConnectWise ScreenConnect?

ConnectWise ScreenConnect (formerly ScreenConnect) is a widely used Remote Monitoring and Management (RMM) and remote support platform deployed by Managed Service Providers (MSPs) and IT teams to remotely access and support endpoints. Like other RMM platforms, ScreenConnect is a high-value target — compromise of the server can provide authenticated remote access to all connected endpoints under management.

ConnectWise ScreenConnect has been attacked before: CVE-2024-1708 and CVE-2024-1709 (February 2024) were critical authentication bypass and path traversal zero-days that led to mass exploitation by ransomware operators within hours of disclosure.

Overview

CVE-2025-3935 is an improper authentication / deserialization vulnerability (CWE-502) in ConnectWise ScreenConnect that enables remote code execution via ViewState code injection when machine keys are compromised or predictable. ASP.NET ViewState tokens are cryptographically signed using the web server's machine key — if an attacker obtains the machine key (through a prior information disclosure vulnerability, default configuration, or brute force), they can forge ViewState tokens containing arbitrary serialized objects, which the server deserializes and executes. Fixed in ScreenConnect Security Patch 2025.4.

Affected Versions

Technical Details

The vulnerability (CWE-502, misclassified by NVD as CWE-502 deserialization but the underlying mechanism is ViewState injection) exploits ASP.NET's ViewState MAC validation. ViewState is a mechanism ASP.NET uses to preserve page state across HTTP requests — it is serialized, base64-encoded, and stored in the page as a hidden form field. To prevent tampering, ViewState is signed using the application's machine key.

Attack prerequisites and flow:

1. Attacker obtains the ScreenConnect server's ASP.NET machine key (through information disclosure, configuration exposure, or the Gladinet hardcoded key pattern)
2. Constructs a malicious ViewState token containing a serialized .NET object that executes arbitrary code when deserialized
3. Submits the crafted ViewState in an HTTP request to the ScreenConnect web server
4. The server deserializes the token (after MAC validation passes due to known machine key) → arbitrary code execution as the web server process

The High attack complexity (AC:H) reflects the machine key prerequisite — not trivially available without a prior step. However, ConnectWise's prior history of information disclosure vulnerabilities (and the existence of tools that enumerate default/predictable machine keys) reduces this barrier.

Exploitation Context

CISA confirmed active exploitation and added to the KEV catalog on June 2, 2025. The six-week gap between the April 2025 patch and the June KEV listing suggests either a delayed exploitation window or that exploitation was initially not recognized. The MSP/RMM positioning of ScreenConnect makes it a high-value target for ransomware operators seeking supply-chain access.

Remediation

1. Apply ConnectWise ScreenConnect Security Patch 2025.4 immediately. The CISA deadline was June 23, 2025.
2. Regenerate the ASP.NET machine key — apply the patch and then regenerate the machine key to prevent exploitation by any attacker who may have obtained the prior key. ConnectWise's patch process may handle this; verify with their guidance.
3. Enable MFA for all ScreenConnect administrative accounts.
4. Restrict ScreenConnect server access via IP allowlisting or VPN — the server should not be directly internet-accessible.
5. Audit ScreenConnect logs for unusual ViewState errors or deserialization exceptions that could indicate exploitation attempts.