What happened
ConnectWise disclosed a critical vulnerability in its ScreenConnect remote access software that allows attackers to extract unique machine keys and hijack active sessions. The flaw stems from how earlier versions stored cryptographic machine keys in server configuration files, which under certain conditions could be accessed by unauthorized actors. If extracted, these keys can be used to impersonate legitimate sessions and bypass authentication controls. The vulnerability, tracked as CVE-2026-3564, carries a CVSS score of 9.0, indicating critical severity. Researchers noted that once the keys are compromised, attackers can gain persistent access and potentially take full control of affected systems without requiring user interaction.Â
Who is affected
Organizations using on-premises versions of ConnectWise ScreenConnect, particularly older or unpatched deployments, are affected, as attackers can exploit exposed machine keys to hijack sessions and access managed systems.Â
Why CISOs should care
The vulnerability impacts a remote access platform with administrative-level control over endpoints, meaning successful exploitation can lead to widespread compromise across managed environments.Â
3 practical actions
- Upgrade ScreenConnect immediately. Apply updates that secure machine key handling and prevent unauthorized extraction.Â
- Audit server configuration exposure. Ensure sensitive cryptographic material is not accessible or improperly stored.Â
- Monitor for session anomalies. Detect unauthorized session activity that may indicate key misuse or impersonation.Â
For more coverage of newly disclosed security flaws and active exploitation, explore our reporting under the Vulnerabilities tag.
