[German]A brief note for readers who use the ScreenConnect product from Connect Wise. The provider has issued a warning that an important security update is available for this product. Users and administrators, that are using the on-premises version of this product, should install the update as soon as possible.
Advertising
ConnectWise ScreenConnect (formerly ConnectWise Control) is a self-hostable remote desktop software application. It was originally developed by Elsinore Technologies in 2008 under the name ScreenConnect and is now owned by ConnectWise Inc.
Vulnerability in ScreenConnect 25.2.3 and earlier
The product ScreenConnect from Connect Wise has a vulnerability classified as high (CVSS 3.1 of 8.8) in versions 25.2.3 and earlier. According to Connect Wise, these versions may be susceptible to a ViewState code injection attack.
The background to this is that ASP.NET Web Forms use ViewState to obtain the status of pages and controls. The data is encoded with Base64 and protected by machine keys. Privileged access at system level is required to obtain these machine keys.
However, if these machine keys are compromised, attackers can create a malicious ViewState and send it to the website. This can lead to remote code execution on the server.
Update to ScreenConnect 25.2.4
Connect Wise has released a patch that disables ViewState and removes all dependencies on it. The patch is provided with ScreenConnect version 25.2.4. The patch is available on the vendor's download page. Notes on the upgrade can be found in the Security Bulletin.
Advertising
Blog reader Heinz H. informed me of the relevant message by email late in the evening of April 24, 2025.vulnerability in ScreenConnect 25.2.3 and earlier
Urgent: Important Security Update for ScreenConnect
–Important update from ConnectWise–
Dear Partner,
ConnectWise has issued a new security bulletin on our Trust Center concerning a security fix to ScreenConnect versions 25.2.3 and earlier. ScreenConnect versions 25.2.3 and earlier versions can potentially be subject to ViewState code injection attacks. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note that to obtain these machine keys, privileged system-level access must be obtained.
It is crucial to understand that this issue could potentially impact any product utilizing ASP.NET framework ViewStates, and ScreenConnect is not an outlier.
What We've Done
Our cross-functional teams conducted comprehensive assessments of all our Cloud instances to identify any potential areas of risk. Additionally, we have implemented enhanced monitoring measures to actively track any changes or suspicious activities related to this issue. Meanwhile, our engineering team effectively identified and implemented a product level patch in the ConnectWise ScreenConnect Cloud. Partners who are on premises must patch their ScreenConnect instance immediately.
What You Should Do
Cloud partners
No action is required. ScreenConnect servers hosted in "screenconnect.com" cloud (standalone and Automate/RMM integrated) or "hostedrmm.com" for Automate partners have been updated to remediate the issue.On-premises partners
On-premise: Active maintenance
If you are on active maintenance, we strongly recommend upgrading to the most current release of 25.2.4. Using the most current release of ScreenConnect includes security updates, bug fixes, and enhancements not found in older releases.To upgrade to version 25.2.4, please note there is a specific upgrade path that must be followed:
22.8 → 23.3 → 25.2.4
For instructions on how to upgrade your on-premise installation click here.
On-premise: Off maintenance
We recommend renewing maintenance and upgrading to the newest release, 25.2.4. Please see the above instructions for how to upgrade to the newest version of ScreenConnect and to check your maintenance status.If you elect not to renew maintenance, we have released free security patches for select older versions dating back to release 23.9. Versions of ScreenConnect can be downloaded from the ConnectWise website: https://screenconnect.com/download/archive The updated releases will have a publish date of April 22nd, 2025, or later. Partners on a version older than 23.9 will be able to upgrade to 23.9 at no additional charge.
For help with upgrading visit ConnectWise Chat to open a case or email help@connectwise.com for additional support.
If you have additional questions, please contact security@connectwise.com.
If you have any questions regarding maintenance, please contact screenconnectsales@connectwise.com or call +1-813-514-8400.
ConnectWise Security Bulletin
Please refer to the security bulletin posted to our Trust Center regarding this vulnerability for more detailed information.Stay Informed
We are committed to transparency and will keep you informed of any further developments. For real-time updates, please subscribe to the ConnectWise security bulletin RSS feed.Report a Security Incident
To report a security or privacy incident, please visit the ConnectWise Trust Center.We appreciate your continued partnership.
Thank you,
The ScreenConnect Team
Advertising
