CVE-2025-3935

Known Exploited
ScreenConnect Exposure to ASP.NET ViewState Code Injection

Description

ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.  It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.  The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.  This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.

Remediation

Solution:

  • Cloud: No action is required. On-premises: Upgrade to the latest stable version. Details and guidance can be found here: ScreenConnect 25.2.4 Security Patch https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4

Category

8.1
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.26%
KEV Since 
Vendor Advisory connectwise.com Vendor Advisory connectwise.com
Affected: ConnectWise ScreenConnect
Published at:
Updated at:

References

Link Tags
https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4 vendor advisory
https://www.connectwise.com/company/trust/advisories vendor advisory

Frequently Asked Questions

What is the severity of CVE-2025-3935?
CVE-2025-3935 has been scored as a high severity vulnerability.
How to fix CVE-2025-3935?
To fix CVE-2025-3935: Cloud: No action is required. On-premises: Upgrade to the latest stable version. Details and guidance can be found here: ScreenConnect 25.2.4 Security Patch https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4
Is CVE-2025-3935 being actively exploited in the wild?
It is confirmed that CVE-2025-3935 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-3935?
CVE-2025-3935 affects ConnectWise ScreenConnect.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.