Overview
- CVE-2026-3564 carries a CVSS 9.0 rating and stems from improper cryptographic signature verification that could let attackers forge trusted authentication data for session hijacking and privilege escalation.
- All versions before ScreenConnect 26.1 are affected, and the flaw can be exploited remotely by unauthenticated attackers without user interaction.
- Version 26.1 encrypts ASP.NET machine keys, improves key management, and lets administrators regenerate cryptographic material to reduce the impact of any prior exposure.
- ConnectWise auto-upgraded cloud-hosted instances, while customers running on-premises or self-hosted deployments are urged to update to 26.1 immediately.
- Researchers have seen attempts to misuse disclosed machine keys, but ConnectWise says it has no evidence of CVE-2026-3564 being exploited in its hosted environment and has no confirmed IoCs.