~/home/news/critical-screenconnect-flaw-cve-2026-03-26
newsThursday, March 26, 20268 min read👁 61 views

Critical ScreenConnect Flaw (CVE-2026-3564) Lets Attackers Hijack RMM Servers

CVE-2026-3564 exposes unencrypted ASP.NET machine keys in ConnectWise ScreenConnect, enabling attackers to forge authentication tokens and take full control of RMM servers. ConnectWise’s 26.1 patch encrypts key storage; immediate mitigation includes patching, rotating keys, and tightening network access.

ScreenConnectCVE-2026-3564RMMConnectWise

Overview/Introduction

On March 21, 2026 ConnectWise disclosed a critical vulnerability in its flagship remote monitoring and management (RMM) product, ScreenConnect (also known as ConnectWise Control). The flaw, cataloged as CVE-2026-3564, allows an adversary who can read the server’s configuration files to retrieve the ASP.NET machine keys that protect session data, view state, and authentication cookies. With those keys in hand, the attacker can generate forged tokens, hijack active sessions, and ultimately obtain full administrative control of the ScreenConnect server.

Given the widespread adoption of ScreenConnect in enterprise help-desks, MSPs, and IT service providers, the vulnerability carries a CVSS v3.1 base score of 9.0 (Critical). The issue stems from insecure handling and storage of cryptographic material - a classic case of “keys in the clear” that has plagued many web-based platforms.

Technical Details

CVE Identification and Root Cause

The vulnerability is tracked as CVE-2026-3564. ScreenConnect runs on the ASP.NET framework and relies on machineKey elements in the web.config file to sign and encrypt view state, authentication tickets, and custom protected data. In versions prior to 26.1, ConnectWise stored these keys in plain text within the server’s configuration directory (%ProgramData%\ScreenConnect\Config\web.config) and also duplicated them in backup archives. The keys were never encrypted at rest, nor were they protected by OS-level ACLs beyond the default service account permissions.

Attack Vector

Exploitation requires one of the following conditions:

  • Local system access (e.g., compromised service account, privilege escalation on the host).
  • Remote file-share access to the configuration directory (common in poorly segmented networks).
  • Backup exfiltration - attackers who obtain a copy of the server’s backup can extract the web.config file.

Once the attacker reads the machineKey values (validationKey and decryptionKey), they can reconstruct the HMACs and encrypted payloads that ScreenConnect expects. This enables two practical attack paths:

  1. Session Hijacking: Forge a valid authentication cookie for any user, including the built-in admin account, and inject it into a browser session.
  2. ViewState / Data Tampering: Craft malicious __VIEWSTATE or __EVENTVALIDATION fields that bypass the server’s anti-tampering checks, allowing arbitrary code execution within the web application context.

Exploitation Methodology

Public proof-of-concept scripts have been shared on underground forums. The typical workflow is:

# 1. Retrieve machineKey from web.config
machine_key=$(cat /opt/screenconnect/config/web.config | grep -Po '(?<=validationKey=")[^\"]+')
# 2. Generate a forged FormsAuthenticationTicket
payload=$(python3 forge_ticket.py --key $machine_key --user admin)
# 3. Encode payload as an authentication cookie and send to the server
curl -b "ScreenConnectAuth=$payload" https://rmm.example.com/

Because the forged ticket is cryptographically valid, the server treats the request as coming from a legitimate administrator, granting full access to the management console, session replay, and remote command execution capabilities.

Impact Analysis

The breach surface is extensive:

  • Enterprise RMM Deployments: Companies that host internal ScreenConnect instances for help-desk or remote support are directly exposed.
  • Managed Service Providers (MSPs): A compromised MSP server can cascade to every client environment they manage, effectively giving attackers a foothold across dozens or hundreds of organizations.
  • Regulated Industries: Healthcare, finance, and critical infrastructure that rely on ScreenConnect for remote access may face compliance violations (HIPAA, PCI-DSS) if the server is compromised.

Given the ability to impersonate any user, an attacker can:

  • Deploy ransomware or data-exfiltration tools to endpoints under the RMM’s control.
  • Modify or delete audit logs, making forensic analysis difficult.
  • Escalate privileges to the underlying host OS via built-in “run command” features, leading to full server takeover.

The combination of remote execution, credential theft, and persistence makes the overall risk “critical.”

Timeline of Events

  • 2025-11-02: Initial internal security review at ConnectWise discovers that machine keys are written in clear text.
  • 2026-01-15: Security researcher “ZeroDayMike” publishes a write-up on an internal forum, describing the key-extraction technique.
  • 2026-02-28: ConnectWise assigns a “high” priority to the issue and begins development of encrypted key storage.
  • 2026-03-12: Public advisory released; CVE-2026-3564 assigned CVSS 9.0.
  • 2026-03-21: Version 26.1 shipped with encrypted machineKey handling, automatic key rotation, and hardened ACLs.
  • 2026-03-24: Multiple threat-intel feeds report active exploitation attempts targeting unpatched installations.

Mitigation/Recommendations

  1. Patch Immediately: Upgrade all ScreenConnect instances to version 26.1 or later. The update encrypts machine keys using DPAPI on Windows and the Linux equivalent, and stores them in a protected vault.
  2. Rotate Machine Keys: After patching, force a full key rotation. ConnectWise provides a PowerShell script (Reset-MachineKey.ps1) that regenerates validationKey and decryptionKey and updates the encrypted store.
  3. Restrict Access to Configuration Files: Apply NTFS ACLs so only the ScreenConnect service account can read web.config. Remove read permissions for any domain users or service accounts that do not require them.
  4. Secure Backups: Ensure backups are encrypted at rest and that backup files containing web.config are stored in a separate, air-gapped location.
  5. Network Segmentation: Place RMM servers in a dedicated VLAN with strict inbound/outbound firewall rules. Only allow management consoles and trusted admin workstations to communicate over HTTPS (port 443).
  6. Monitoring & Detection: Enable logging for EventLog entries related to authentication cookie creation, and set up SIEM alerts for anomalous login patterns or “admin” sessions originating from unknown IP ranges.
  7. Incident Response Preparedness: If you suspect key exposure, assume the server is compromised. Isolate the host, rotate all keys, and perform a forensic capture before re-imaging.

Real-World Impact

Early reports indicate that at least three MSPs in North America suffered ransomware deployments after attackers leveraged CVE-2026-3564 to gain admin access to their ScreenConnect consoles. In each case, the attackers used the “run command” feature to push a PowerShell payload that encrypted all client endpoints, demanding multi-million-dollar payouts.

For enterprises that host their own ScreenConnect instance, the vulnerability translates into a “single point of failure.” A compromised RMM server can silently pivot to every device under its management, including servers, workstations, and even IoT gateways. The breach can therefore bypass perimeter defenses, making detection far more challenging.

Beyond immediate ransomware, the exposure of machine keys also enables long-term persistence. Attackers can embed back-doors in the encrypted viewstate data, ensuring they retain access even after password changes or MFA enforcement on the admin console.

Expert Opinion

As a senior cybersecurity analyst, I view CVE-2026-3564 as a wake-up call for the RMM industry. The reliance on ASP.NET’s machineKey for cryptographic signing is not inherently insecure, but the implementation decisions-storing the keys in clear text and allowing them to be backed up without protection-created a low-effort, high-reward attack surface.

Two broader lessons emerge:

  1. Zero Trust for Cryptographic Material: Any secret used for authentication must be encrypted at rest, access-controlled, and regularly rotated. Vendors should adopt platform-native secret stores (e.g., Azure Key Vault, HashiCorp Vault) instead of custom file-based storage.
  2. Supply-Chain Vigilance: Many organizations trust RMM tools as a “managed service” and therefore overlook hardening them. Security teams must treat RMM servers as critical assets, subject to the same patch-management cadence and segmentation as core infrastructure.

ConnectWise’s rapid response-delivering an encrypted-key solution within weeks-is commendable, but the real test will be how quickly customers adopt the patch. Given the potential for widespread exploitation, I recommend that any organization still running pre-26.1 versions treat this as a “critical emergency” and allocate resources accordingly.