CVE-2025-3935 – CVE-2025-3935 is a ViewState code injection vul... (How to Fix)

Q: What is the severity of CVE-2025-3935?

CVE-2025-3935 has a CVSS score of 8.1 (HIGH). CVE-2025-3935 is a ViewState code injection vulnerability affecting ScreenConnect versions 25.2.3 and earlier. Attackers with compromised machine keys can craft malicious ViewState payloads to achieve remote code execution on the server. This affects organizations using vulnerable ScreenConnect installations, particularly those exposed to the internet.

📋 TL;DR

CVE-2025-3935 is a ViewState code injection vulnerability affecting ScreenConnect versions 25.2.3 and earlier. Attackers with compromised machine keys can craft malicious ViewState payloads to achieve remote code execution on the server. This affects organizations using vulnerable ScreenConnect installations, particularly those exposed to the internet.

💻 Affected Systems

Products:

ScreenConnect

Versions: 25.2.3 and earlier

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires compromise of machine keys first, which typically requires privileged system access. This is a platform-level ASP.NET vulnerability, not specific to ScreenConnect code.

📦 What is this software?

Screenconnect by Connectwise

View all CVEs affecting Screenconnect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution on the ScreenConnect server, allowing complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Attackers with initial access escalate privileges to execute arbitrary code on the server, potentially deploying ransomware or establishing persistent backdoors.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the ScreenConnect server itself, though data exfiltration remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires obtaining machine keys first, which adds a prerequisite step. Once keys are obtained, ViewState manipulation is well-documented in ASP.NET.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ScreenConnect 2025.4

Vendor Advisory: https://www.connectwise.com/company/trust/advisories

Restart Required: Yes

Instructions:

1. Download ScreenConnect 2025.4 from ConnectWise portal. 2. Backup current installation. 3. Run installer with administrative privileges. 4. Restart ScreenConnect services. 5. Verify ViewState is disabled in configuration.

🔧 Temporary Workarounds

Disable ViewState manually

all

Manually disable ViewState in web.config to prevent exploitation

Edit web.config: <pages enableViewState="false" />

Rotate machine keys

windows

Generate new machine keys to invalidate any compromised keys

Use ASP.NET IIS Manager or generate via: aspnet_regiis -pc "MyKeys" -exp

🧯 If You Can't Patch

Isolate ScreenConnect server from internet with firewall rules
Implement strict access controls and monitor for unusual authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check ScreenConnect version in Admin panel or via Help > About. Versions 25.2.3 or earlier are vulnerable.

Check Version:

On Windows: sc query "ScreenConnect Client" | findstr DisplayName. On Linux: systemctl status screenconnect

Verify Fix Applied:

Verify version is 2025.4 or later and check that ViewState is disabled in web.config (enableViewState="false").

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Large or malformed ViewState parameters in IIS logs
Unexpected process creation from w3wp.exe

Network Indicators:

Unusual outbound connections from ScreenConnect server
Suspicious PowerShell or command execution patterns

SIEM Query:

source="iis" AND (url="*__VIEWSTATE*" AND size>10000) OR process_name="w3wp.exe" AND child_process="powershell.exe"

📊 Metadata

CVE ID: CVE-2025-3935

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 12.3% exploit probability (93.7th percentile)

CISA KEV: Actively Exploited added Jun 2, 2025

Published: April 25, 2025

Last Updated: October 24, 2025

🔗 References

https://www.connectwise.com/company/trust/advisories Vendor Advisory
https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3935 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3935, you might also want to check these: