External risk intelligence

ScreenConnect: Code Injection Risk from ViewState Compromise.

CVE advisoryKnown Exploit

CVE-2025-3935

Certain versions of ScreenConnect software face a code injection risk if privileged machine keys are compromised, potentially allowing remote code execution on affected servers. This stems from platform-level behavior, not a direct software flaw. A patch is available that addresses this risk.

4Halo Surface Signal

Deserialization

Connectwise Screenconnect

before 25.2.4

External exposure likelihood

Halo Surface Signal score for CVE-2025-3935

ConnectWise ScreenConnect is a remote access and support platform, which is typically deployed as an internet-facing service to facilitate connectivity between remote technicians and client machines. As an edge-accessible management gateway, it is commonly exposed to the public internet in standard deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

Certain versions of ScreenConnect software are susceptible to a code injection flaw. This weakness allows attackers to potentially execute arbitrary code on the server if they can first compromise privileged system keys. The impact could include unauthorized access and control over affected systems.

Vulnerable ScreenConnect software versions.
ViewState code injection.
Remote code execution on servers.

Attack Path

How an attacker could exploit the issue

This vulnerability arises from a platform-level behavior rather than a specific flaw introduced by the software. Attackers must first compromise privileged system-level access to obtain sensitive machine keys. With these keys, an attacker can craft and deliver a malicious ViewState, potentially leading to remote code execution on the server.

Exposure through privileged access.
Attacker crafts malicious ViewState.
Remote code execution on server.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute code remotely on a server if they compromise specific machine keys. The risk originates from platform-level behavior rather than the application itself. A patch is available that disables the vulnerable feature.

Attackers with high skill needed.
Requires privileged access to machine keys.
Elevated business risk; treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization's ScreenConnect instances may be vulnerable to code injection if machine keys are compromised. This could allow remote code execution on the server. The issue stems from platform-level behavior, not a direct ScreenConnect vulnerability, and does not impact the ScreenConnect Client. The vendor has released a patch that disables ViewState and removes dependencies on it.

Identify ScreenConnect assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What is ScreenConnect software and its purpose?

ScreenConnect is a software solution designed for remote access and IT support. It enables technicians to connect to and manage remote computers efficiently, facilitating remote system maintenance and assistance.

What is the CVE-2025-3935 weakness in ScreenConnect?

CVE-2025-3935 relates to a deserialization of untrusted data vulnerability (CWE-502). In ScreenConnect, this could allow an attacker to inject malicious code via a compromised ViewState, leading to remote code execution if specific machine keys are also compromised.

How can an attacker exploit the ScreenConnect ViewState weakness?

Exploitation requires an attacker to first gain privileged system-level access to compromise sensitive machine keys. Once these keys are obtained, the attacker can create and send a malicious ViewState to the website, potentially enabling remote code execution on the server.

What is the relevance of CVE-2025-3935 for organizations using ScreenConnect?

The Halo Surface Signal indicates a 'Likely' risk due to ScreenConnect's common deployment as an internet-facing remote access platform. This makes it an edge-accessible management gateway frequently exposed to the public internet, increasing the potential impact of the vulnerability.

What is the recommended action for ScreenConnect instances vulnerable to CVE-2025-3935?

Organizations should identify their ScreenConnect assets, reduce exposure or isolate risk, and apply the vendor's patch (version 2025.4 or later) which disables ViewState and removes dependencies. Verification and ongoing monitoring are also recommended.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.