ScreenConnect Flaw: Hackers Extract Keys, Hijack Vulnerability Allows

ConnectWise has issued an urgent security advisory for its ScreenConnect remote desktop software. A critical cryptographic vulnerability, detailed in the advisory, could allow unauthenticated attackers to extract server-level machine keys and hijack session authentication.

The flaw, tracked as CVE-2026-3564, affects all ScreenConnect versions prior to 26.1 and carries a CVSS score of 9.0, placing it firmly in the critical-to-important severity tier.

At the core of the issue is how older versions of ScreenConnect stored unique machine keys and cryptographic identifiers tied to each server instance.

These keys were written in plaintext within server configuration files, meaning that under certain conditions, an attacker who gains access to the filesystem or configuration data could extract this material without needing elevated privileges on the target system.

ScreenConnect Vulnerability Extract Keys

Once extracted, the machine keys can be weaponized to forge or manipulate session authentication tokens, effectively impersonating legitimate sessions and bypassing access controls.

The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature), highlighting the root cause: the software’s failure to adequately verify the integrity of these cryptographic components before trusting them for authentication decisions.

The CVSS vector indicates network exploitability with no privileges or user interaction required, though the high attack complexity reflects that specific conditions must be met.

Notably, the scope is marked as Changed, meaning a successful exploit could impact resources beyond the vulnerable component itself, a significant concern in enterprise remote access environments where ScreenConnect is widely deployed.

ConnectWise has assigned this vulnerability a Priority 1 (High) rating, indicating it is either actively being targeted or at elevated risk of exploitation in the wild. Organizations running on-premises ScreenConnect deployments are particularly exposed and should treat remediation as an emergency change, ideally within days of the advisory’s release.

The updated ScreenConnect version 26.1 addresses the flaw by introducing encrypted storage and enhanced key management for machine key material, significantly reducing the risk of unauthorized extraction even if server integrity is partially compromised.

Cloud-hosted ScreenConnect instances require no action, as ConnectWise has already applied mitigations on the backend. On-premises partners, however, must manually upgrade to version 26.1 through the official ScreenConnect download page.

Lapsed maintenance licenses must be renewed before the update can be applied.

Given the near-critical CVSS score and Priority 1 classification, security teams managing on-premises ScreenConnect deployments should prioritize patching immediately and audit session logs for any anomalous authentication activity that could indicate prior exploitation attempts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.