ConnectWise has released a security update for ScreenConnect that encrypts machine keys to prevent server compromise. The patch addresses CVE-2026-3564, a critical vulnerability exposing ASP.NET machine key material used for session authentication, and users are urged to update to ScreenConnect 26.1 and tighten access controls. #ScreenConnect #ConnectWise #CVE-2026-3564 #ASP.NET
Keypoints
- ConnectWise released ScreenConnect version 26.1 to strengthen machine key handling and storage.
- The update remediates CVE-2026-3564, a critical flaw with a CVSS score of 9.0.
- Previously, unique machine keys were stored in server configuration files and could be exfiltrated.
- Disclosed ASP.NET machine key material could allow attackers to elevate privileges and access active sessions, with alleged historical abuse claims.
- Users should update immediately, restrict access to configuration files and backups, review access controls, and monitor logs for suspicious activity.
Read More: https://www.securityweek.com/critical-screenconnect-vulnerability-exposes-machine-keys/