Critical ScreenConnect Vulnerability Enables Session Hijacking and Key Theft
ConnectWise has disclosed a critical security vulnerability in its ScreenConnect remote access platform that could allow unauthenticated attackers to extract cryptographic machine keys and hijack authenticated sessions.
The flaw, tracked as CVE-2026-3564, carries a CVSS score of 9.0 and has been assigned Priority 1 High, indicating an elevated risk of active exploitation in the wild.
The vulnerability stems from how earlier versions of ScreenConnect stored machine keys, unique cryptographic identifiers assigned per server instance.
According to ConnectWise’s advisory, these keys were stored in server configuration files with insufficient protection, meaning that under certain conditions, an unauthorized actor with access to those files could extract the material and repurpose it to bypass session authentication.
The flaw is classified under CWE-347: Improper Verification of Cryptographic Signature, reflecting an inadequate failure to validate the authenticity of cryptographic material during session handling.
When machine keys can be stolen and replayed, an attacker effectively inherits the trust level of the legitimate server, enabling them to forge or hijack user sessions without needing valid credentials.
The CVSS vector highlights several concerning characteristics: the attack is network-accessible, requires no privileges or user interaction, and results in a scope change, meaning a successful exploit can impact components beyond the vulnerable server itself.
The combination of High confidentiality, integrity, and availability impact underscores the potential for complete session compromise across managed endpoints.
ScreenConnect is widely deployed across managed service providers (MSPs) and enterprise environments for remote desktop access and support. A successful exploitation scenario could allow a threat actor who has gained partial server access through a separate vulnerability, misconfiguration, or compromised credentials to escalate their position by extracting machine keys, then silently authenticate as any active session user.
This type of lateral movement is particularly dangerous in MSP environments where a single ScreenConnect instance may manage hundreds or thousands of client endpoints.
ConnectWise notes that the vulnerability requires “additional access or privilege” to exploit, which is why it is rated Important rather than Critical, but the Priority 1 designation signals that the threat landscape warrants immediate attention regardless of that nuance.
ConnectWise has addressed the issue in ScreenConnect version 26.1, which introduces encrypted storage and improved lifecycle management for machine keys, significantly hardening the platform against key extraction attacks.
- Cloud-hosted instances require no action, as ConnectWise has already applied the update.
- On-premise deployments must upgrade to version 26.1 immediately. Partners can download the update from the official ScreenConnect download page with a valid on-premises license.
- Partners using ScreenConnect integrated with ConnectWise Automate can access the update through the Automate Product Updates page.
Organizations running out-of-maintenance licenses must renew or upgrade their license before installing the latest release. Given the Priority 1 classification, ConnectWise recommends treating this as an emergency change and applying the patch within days, not weeks.
Site: cybersecuritypath.com
About the Author
