CVE-2025-3935

Name of the Vulnerable Software and Affected Versions ScreenConnect versions 25.2.3 and earlier

Description The issue concerns a ViewState code injection attack in ScreenConnect, which uses ASP.NET Web Forms to preserve page and control state. The data is encoded using Base64 and protected by machine keys. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform-level behavior. It is estimated that over 445,000 devices may be affected. There have been reports of real-world incidents where this issue was exploited, including a suspected nation-state attack on ConnectWise.

Recommendations For ScreenConnect versions 25.2.3 and earlier, update to version 2025.4, which disables ViewState and removes any dependency on it. As a temporary workaround, consider restricting access to the vulnerable module to minimize the risk of exploitation. Avoid using the ViewState parameter in affected API endpoints until the issue is resolved.