A high-severity vulnerability in ConnectWise ScreenConnect, tracked as CVE-2025-3935, is being actively exploited in the wild, prompting urgent attention from security teams. The flaw, which has a CVSS score of 7.2, was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on June 2, 2025, underscoring its critical nature.
The vulnerability affects ScreenConnect versions 25.2.3 and earlier, allowing attackers to perform a ViewState code injection attack. This type of attack exploits ASP.NET Web Forms' ViewState mechanism, which is used to preserve page and control state. The data is encoded using Base64 and protected by machine keys. However, if attackers can obtain these machine keys, they can manipulate the ViewState data to execute arbitrary code on the server.
The exploitation of CVE-2025-3935 was detected within 37 days of its disclosure, highlighting the rapid pace at which threat actors are capitalizing on newly discovered vulnerabilities. The Exploit Prediction Scoring System (EPSS) for this vulnerability is 0.155, indicating a moderate likelihood of exploitation, which has already been realized in the wild.
Organizations using affected versions of ConnectWise ScreenConnect should prioritize patching to mitigate the risk of exploitation. The vulnerability's inclusion in the KEV list means federal agencies are likely under a mandate to address it promptly. Security teams should verify that their systems are updated to the latest version of ScreenConnect and review their ASP.NET configurations to ensure machine keys are securely managed.
CSURFACE