ViewState Code Injection Vulnerability in ConnectWise ScreenConnect
CVE-2025-3935
Key Information:
- Vendor
Connectwise
- Status
- Vendor
- CVE Published:
- 25 April 2025
Badges
What is CVE-2025-3935?
CVE-2025-3935 refers to a vulnerability identified in the ConnectWise ScreenConnect remote support software, specifically affecting versions up to 25.2.3. ScreenConnect is widely used for remote desktop and support services, allowing technicians to connect to client machines for troubleshooting and assistance. The vulnerability stems from a ViewState code injection attack, a syntax utilized in ASP.NET Web Forms that preserves the state of a web page between postbacks. If an attacker gains privileged system-level access and obtains the machine keys used for encoding this ViewState data, they can craft a malicious ViewState. This could enable the execution of arbitrary code on the server itself, presenting severe risks to the confidentiality, integrity, and availability of the system and any sensitive data it handles.
Potential impact of CVE-2025-3935
-
Remote Code Execution: The most significant risk is the potential for remote code execution, allowing attackers to execute arbitrary commands on the server. This could lead to full system compromise, unauthorized access to sensitive information, and operational disruption.
-
Data Breach Risks: As ScreenConnect is often used to manage remote system support, exploitation of this vulnerability could enable attackers to access sensitive customer data, proprietary information, and internal communications, leading to potential data breaches.
-
Indirect Vulnerability Exploitation: Even though the vulnerability is not a flaw in the ScreenConnect application itself, the underlying platform behavior poses a risk. If attackers can exploit this issue, they may gain further access to interconnected systems, increasing the attack surface and complicating incident response and remediation efforts.
CISA has reported CVE-2025-3935
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-3935 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
ScreenConnect Microsoft ASP.NET <25.2.3
News Articles
Questions Swirl Around ConnectWise Flaw Used in Attacks
ConnectWise issued a patch to stave off attacks on ScreenConnect customers, but the company's disclosures don't explain what the vulnerability is and when it was first exploited.
19 hours ago
Help Net SecurityCVE-2025-3935Attackers breached ConnectWise, compromised customer ScreenConnect instances - Help Net Security
A suspected nation state threat actor has compromised ScreenConnect cloud instances of a "very small number" of ConnectWise customers
4 days ago
ConnectWise customers get mysterious warning about 'sophisticated' nation-state hack
ConnectWise has brought in the big guns to investigate a "sophisticated nation state actor" that broke into its IT environment and then breached some of its customers. In a May 28 advisory, the IT management...
1 week ago
References
EPSS Score
19% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 👾
Exploit known to exist
- 💰
Used in Ransomware
- 📰
First article discovered by The Hacker News
Vulnerability published