CVE-2025-3935 (GCVE-0-2025-3935)

Vulnerability from cvelistv5 – Published: 2025-04-25 18:27 – Updated: 2025-10-21 22:55
VLAI?
Title
ScreenConnect Exposure to ASP.NET ViewState Code Injection
Summary
ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.  It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.  The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.  This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
Vendor Product Version
ConnectWise ScreenConnect Affected: <25.2.3
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-3935",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-06T03:55:32.340641Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-06-02",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3935"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:17.656Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3935"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-06-02T00:00:00+00:00",
            "value": "CVE-2025-3935 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Microsoft ASP.NET"
          ],
          "product": "ScreenConnect",
          "vendor": "ConnectWise",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c25.2.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.\u0026nbsp;\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIt is important to note that to obtain these machine keys, privileged system level access must be obtained. \u003c/span\u003e\n\n\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eI\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ef these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003c/span\u003e\n\n\u003cbr\u003eThe risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.\u0026nbsp; This had no direct impact to ScreenConnect Client.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eScreenConnect 2025.4 patch disables ViewState and removes any dependency on it. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
            }
          ],
          "value": "ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.\u00a0\nIt is important to note that to obtain these machine keys, privileged system level access must be obtained. \n\n\n\nIf these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.\u00a0\n\n\n\nThe risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.\u00a0 This had no direct impact to ScreenConnect Client.\u00a0ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T16:31:13.339Z",
        "orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
        "shortName": "ConnectWise"
      },
      "references": [
        {
          "url": "https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4"
        },
        {
          "url": "https://www.connectwise.com/company/trust/advisories"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003c/p\u003e\u003cb\u003eCloud:\u0026nbsp;\u003c/b\u003eNo action is required. \u003cbr\u003e\u003cbr\u003e\u003cb\u003eOn-premises:\u0026nbsp;\u003c/b\u003eUpgrade to the latest stable version.\u003cbr\u003e\n\n\n\n\n\n\n\n\n\n\u003cp\u003eDetails and guidance can be found here:\n\n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4\"\u003eScreenConnect 25.2.4 Security Patch\u003c/a\u003e\n\n\u003c/p\u003e\n\n\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "Cloud:\u00a0No action is required. \n\nOn-premises:\u00a0Upgrade to the latest stable version.\n\n\n\n\n\n\n\n\n\n\nDetails and guidance can be found here:\n\n ScreenConnect 25.2.4 Security Patch https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "ScreenConnect Exposure to ASP.NET ViewState Code Injection",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
    "assignerShortName": "ConnectWise",
    "cveId": "CVE-2025-3935",
    "datePublished": "2025-04-25T18:27:44.244Z",
    "dateReserved": "2025-04-25T14:32:25.365Z",
    "dateUpdated": "2025-10-21T22:55:17.656Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2025-3935",
      "cwes": "[\"CWE-287\"]",
      "dateAdded": "2025-06-02",
      "dueDate": "2025-06-23",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4 ;   https://nvd.nist.gov/vuln/detail/CVE-2025-3935",
      "product": "ScreenConnect",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.",
      "vendorProject": "ConnectWise",
      "vulnerabilityName": "ConnectWise ScreenConnect Improper Authentication Vulnerability"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-3935\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-06T03:55:32.340641Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-06-02\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3935\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-06-02T00:00:00+00:00\", \"value\": \"CVE-2025-3935 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3935\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-25T18:55:48.517Z\"}}], \"cna\": {\"title\": \"ScreenConnect Exposure to ASP.NET ViewState Code Injection\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"ConnectWise\", \"product\": \"ScreenConnect\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c25.2.3\"}], \"platforms\": [\"Microsoft ASP.NET\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Cloud:\\u00a0No action is required. \\n\\nOn-premises:\\u00a0Upgrade to the latest stable version.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nDetails and guidance can be found here:\\n\\n ScreenConnect 25.2.4 Security Patch https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003c/p\u003e\u003cb\u003eCloud:\u0026nbsp;\u003c/b\u003eNo action is required. \u003cbr\u003e\u003cbr\u003e\u003cb\u003eOn-premises:\u0026nbsp;\u003c/b\u003eUpgrade to the latest stable version.\u003cbr\u003e\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\u003cp\u003eDetails and guidance can be found here:\\n\\n\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4\\\"\u003eScreenConnect 25.2.4 Security Patch\u003c/a\u003e\\n\\n\u003c/p\u003e\\n\\n\\n\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4\"}, {\"url\": \"https://www.connectwise.com/company/trust/advisories\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.\\u00a0\\nIt is important to note that to obtain these machine keys, privileged system level access must be obtained. \\n\\n\\n\\nIf these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.\\u00a0\\n\\n\\n\\nThe risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.\\u00a0 This had no direct impact to ScreenConnect Client.\\u00a0ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.\u0026nbsp;\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eIt is important to note that to obtain these machine keys, privileged system level access must be obtained. \u003c/span\u003e\\n\\n\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eI\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ef these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cbr\u003e\u003c/span\u003e\\n\\n\u003cbr\u003eThe risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.\u0026nbsp; This had no direct impact to ScreenConnect Client.\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eScreenConnect 2025.4 patch disables ViewState and removes any dependency on it. \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"7d616e1a-3288-43b1-a0dd-0a65d3e70a49\", \"shortName\": \"ConnectWise\", \"dateUpdated\": \"2025-09-03T16:31:13.339Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-3935\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T22:55:17.656Z\", \"dateReserved\": \"2025-04-25T14:32:25.365Z\", \"assignerOrgId\": \"7d616e1a-3288-43b1-a0dd-0a65d3e70a49\", \"datePublished\": \"2025-04-25T18:27:44.244Z\", \"assignerShortName\": \"ConnectWise\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.