ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. 
It is important to note that to obtain these machine keys, privileged system level access must be obtained.



If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. 



The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.  This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.
Fixes

Solution

Cloud: No action is required. On-premises: Upgrade to the latest stable version. Details and guidance can be found here: ScreenConnect 25.2.4 Security Patch https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4


Workaround

No workaround given by the vendor.

History

Wed, 03 Sep 2025 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 03 Sep 2025 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287

Wed, 03 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502

Wed, 04 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Connectwise
Connectwise screenconnect
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:*
Vendors & Products Connectwise
Connectwise screenconnect

Mon, 02 Jun 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

kev

{'dateAdded': '2025-06-02'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 25 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 25 Apr 2025 18:45:00 +0000

Type Values Removed Values Added
Description ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.  It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.  The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.  This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.
Title ScreenConnect Exposure to ASP.NET ViewState Code Injection
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: ConnectWise

Published:

Updated: 2025-09-03T16:31:13.339Z

Reserved: 2025-04-25T14:32:25.365Z

Link: CVE-2025-3935

cve-icon Vulnrichment

Updated: 2025-04-25T18:55:48.517Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-25T19:15:49.143

Modified: 2025-09-03T21:00:04.450

Link: CVE-2025-3935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.