SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-3935

CVE-2025-3935: ConnectWise ScreenConnect RCE Vulnerability

CVE-2025-3935 is a ViewState code injection RCE vulnerability in ConnectWise ScreenConnect versions 25.2.3 and earlier. Exploiting this requires compromised machine keys to execute arbitrary code remotely. This article covers technical details, affected versions, impact assessment, and available mitigation strategies including the 2025.4 patch.

Updated:

CVE-2025-3935 Overview

ScreenConnect versions 25.2.3 and earlier may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.

Critical Impact

Remote code execution could be achieved if machine keys are compromised. This vulnerability is due to platform behavior, not ScreenConnect itself.

Affected Products

  • ConnectWise ScreenConnect versions 25.2.3 and earlier

Discovery Timeline

  • 2025-04-25 - CVE CVE-2025-3935 published to NVD
  • 2025-10-24 - Last updated in NVD database

Technical Details for CVE-2025-3935

Vulnerability Analysis

This vulnerability allows for ViewState code injection, which can be exploited if an attacker gains access to the encryption machine keys. By sending a specially crafted ViewState, the attacker can execute arbitrary code on the server.

Root Cause

The root cause lies in the use of ViewState without sufficient security measures, enabling code injection if machine keys are compromised.

Attack Vector

The attack vector is via the network, specifically targeting the ASP.NET ViewState mechanism used by vulnerable ScreenConnect versions.

csharp
// Example exploitation code (sanitized)
string viewState = Convert.ToBase64String(Encoding.UTF8.GetBytes("<malicious_payload>"));
string url = "http://vulnerable_site/target_page";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
request.Method = "POST";
StreamWriter writer = new StreamWriter(request.GetRequestStream());
writer.Write("__VIEWSTATE=" + viewState);
writer.Close();

Detection Methods for CVE-2025-3935

Indicators of Compromise

  • Unexpected ViewState data in HTTP requests
  • Unauthorized modifications to machine key storage

Detection Strategies

Monitoring network traffic for suspicious ViewState data and checking logs for unauthorized modifications to the machine key can help detect potential exploitation attempts.

Monitoring Recommendations

Implement network monitoring using tools like Wireshark to capture and analyze ViewState data. Utilize logging tools to track access to sensitive configuration files containing machine keys.

How to Mitigate CVE-2025-3935

Immediate Actions Required

  • Disable ViewState functionality if not required
  • Update to ScreenConnect 2025.4 or later
  • Secure machine keys with stronger access control measures

Patch Information

ConnectWise has released a patch in version 2025.4 that disables ViewState and removes dependency on it.

Workarounds

Disabling ViewState and managing machine keys securely can mitigate the risk without requiring immediate patching.

bash
# Configuration example to disable ViewState
<pages enableViewState="false" />

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne