ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect - #CVE-2025-3935
ConnectWise has addressed a critical remote code execution vulnerability (CVE-2025-3935) in ScreenConnect versions 25.2.3 and earlier, with a high CVSS score of 81. The flaw, rooted in the ASP.NET ViewState mechanism, could allow attackers with privileged access to inject malicious data, potentially leading to server compromise. ConnectWise has mitigated the issue in version 25.2.4 by disabling ViewState and removing its dependency. While cloud-hosted deployments have been automatically updated, on-premises users are strongly advised to upgrade immediately. Notably, ConnectWise is offering free security patches for older versions back to 23.9, even for users without active maintenance contracts. This incident underscores the broader security risks associated with legacy ASP.NET implementations, which may impact other enterprise products beyond ScreenConnect.