CVE-2025-3935: 
ScreenConnect Server vulnerability analysis and mitigation

ScreenConnect versions 25.2.3 and earlier versions are susceptible to a ViewState code injection attack in ASP.NET Web Forms. The vulnerability (CVE-2025-3935) was discovered and disclosed on April 25, 2025. The vulnerability affects the ViewState functionality used to preserve page and control state in ASP.NET Web Forms, where data is encoded using Base64 and protected by machine keys (NVD, ConnectWise Bulletin).

The vulnerability involves ASP.NET Web Forms' ViewState mechanism, which uses machine keys for validation and encryption. When these machine keys are compromised, attackers can craft and send malicious ViewState data to the website. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H and is classified under CWE-287 (Improper Authentication) (NVD, AttackerKB).

If successfully exploited, the vulnerability could allow attackers to execute remote code on the server through malicious ViewState data manipulation. This could potentially lead to complete system compromise, affecting the confidentiality, integrity, and availability of the server (ConnectWise Bulletin).

ConnectWise has released version 25.2.4 which completely disables ViewState and removes any dependency on it. For cloud-hosted instances (screenconnect.com and hostedrmm.com), no action is required as patches have been automatically applied. On-premises users with active maintenance should upgrade to version 25.2.4 following the upgrade path: 22.8 → 23.3 → 25.2.4. For users without active maintenance, security patches are available for versions dating back to 23.9 (ConnectWise Bulletin).