Detections
Analytics

ConnectWise ScreenConnect < 25.2.4 RCE

high Nessus Plugin ID 237587

Language:

Synopsis

A remote access server installed on the remote Windows host is affected by a remote code execution vulnerability.

Description

According to its version, the ConnectWise ScreenConnect remote access software installed on the remote host is prior to 25.2.4. It is, therefore affected by a remote code execution vulnerability:

 - ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to ConnectWise ScreenConnect Service version 25.2.4 or later

See Also

http://www.nessus.org/u?25002a6e

Plugin Details

Severity: High

ID: 237587

File Name: connectwise_screenconnect_25_2_4.nasl

Version: 1.2

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 5/30/2025

Updated: 6/9/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 8.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C

CVSS Score Source: CVE-2025-3935

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:connectwise:screenconnect

Required KB Items: installed_sw/ConnectWise ScreenConnect

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/24/2025

Vulnerability Publication Date: 4/24/2025

CISA Known Exploited Vulnerability Due Dates: 6/23/2025

Reference Information

CVE: CVE-2025-3935