Server-Side Validation Flaw in ScreenConnect by ConnectWise
CVE-2025-14265

9.1CRITICAL

Key Information:

Vendor

Connectwise
Status
Screenconnect
Vendor
CVE Published:
11 December 2025

Badges

πŸ“ˆ Score: 243πŸ‘Ύ Exploit ExistsπŸ“° News Worthy

What is CVE-2025-14265?

CVE-2025-14265 is a vulnerability identified in the ScreenConnect application by ConnectWise, which serves as a remote access and control solution for IT support and management. This flaw specifically affects versions prior to 25.8 and is related to inadequate server-side validation processes within the software's extension subsystem. The vulnerability allows authorized users, including administrators, to potentially install and execute untrusted extensions. This can lead to the execution of arbitrary code on the server, posing serious security risks. If exploited, the vulnerability could enable unauthorized access to sensitive application configuration data, compromising the integrity and confidentiality of the system.

Potential impact of CVE-2025-14265

  1. Remote Code Execution: The vulnerability opens a pathway for attackers to execute arbitrary code on the server hosting ScreenConnect, which could lead to complete system compromise and unauthorized control.

  2. Unauthorized Access to Sensitive Data: Exploiting this vulnerability may grant attackers access to sensitive application configuration data, risking data confidentiality and integrity.

  3. Impact on Operational Stability: An exploit could disrupt services provided by ScreenConnect, leading to interruptions in support operations and possibly damaging the organization's reputation and trust with its clients.

Affected Version(s)

ScreenConnect All versions prior to 2025.8

News Articles

favicon imageCyber Press

Critical ScreenConnect Vulnerability Allows Attackers to Expose Sensitive Configuration Data

The vulnerability, tracked as CVE-2025-14265, carries a CVSS score of 9.1, indicating severe potential impact despite requiring administrative-level access to exploit.

2 weeks ago

favicon imageCybersecurityNews

Critical ScreenConnect Vulnerability Let Attackers Expose Sensitive Configuration Data

ConnectWise released an update for ScreenConnect to fix a bug that could let attackers see sensitive data and install unsafe extensions.

2 weeks ago

References

https://www.connectwise.com/company/trust/security-bullet...

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by CybersecurityNews

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-14265 : Server-Side Validation Flaw in ScreenConnect by ConnectWise