A high-severity vulnerability (CVE-2025-3935) affecting ScreenConnect versions 25.2.3 and earlier has been disclosed, involving ASP.NET ViewState code injection. The flaw, rated 8.1 on the CVSS scale, could allow remote code execution (RCE) if machine keys are compromised. While the issue stems from platform-level behavior in ASP.NET Web Forms rather than a ScreenConnect-specific flaw, ConnectWise has released a patch (version 25.2.4) that disables ViewState entirely to mitigate the risk1.
Technical Breakdown
The vulnerability centers on ASP.NET’s ViewState mechanism, which preserves page and control state by serializing data in Base64 format. By design, this data is protected by machine keys, but if these keys are obtained through privileged system access, attackers could craft malicious ViewState payloads2. Successful exploitation would require the attacker to first compromise these keys, making this an attack chain rather than a direct exploit.
ConnectWise’s security bulletin clarifies that the ScreenConnect 2025.4 patch removes all dependencies on ViewState, effectively neutralizing this attack vector3. The company emphasizes that cloud-hosted instances were automatically patched, while on-premises deployments require manual updates following a specific upgrade path: 22.8 → 23.3 → 25.2.4. Organizations running older, unsupported versions can still obtain the 23.9 patch at no cost.
Impact and Detection
The vulnerability’s impact is significant but requires specific preconditions for exploitation. Microsoft’s security blog notes that over 3,000 ASP.NET applications have exposed machine keys in past incidents, highlighting the importance of proper key management4. Detection should focus on:
- Unauthorized modifications to web.config files containing machine keys
- Unusual ViewState payloads in HTTP requests
- Unexpected process execution originating from w3wp.exe
Mitigation and Best Practices
Beyond applying the ScreenConnect patch, organizations should implement additional defensive measures. Microsoft recommends rotating machine keys periodically and storing them securely4. For broader ASP.NET environments, consider:
| Action | Implementation |
|---|---|
| ViewState MAC Validation | Enable in web.config: <pages enableViewStateMac=”true” /> |
| Key Isolation | Use unique machine keys per application |
| Request Monitoring | Alert on large or malformed ViewState payloads |
Third-party researchers have published detection rules for common ViewState injection patterns, which can be integrated into SIEM solutions5. These focus on identifying Base64-encoded .NET serialized objects in POST requests to ASP.NET endpoints.
Conclusion
CVE-2025-3935 demonstrates how platform-level features can introduce risk even in well-hardened applications like ScreenConnect. While the immediate threat is mitigated through patching, the incident underscores the importance of secure configuration management in ASP.NET environments. Organizations should treat this as an opportunity to audit their ViewState implementations beyond just ScreenConnect deployments.
References
- “ScreenConnect 25.2.4 Security Patch Overview,” ConnectWise Security Bulletin, Apr. 2025. [Online]. Available: https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4
- “CVE-2025-3935,” Vulners, Apr. 2025. [Online]. Available: https://vulners.com/cvelist/CVELIST:CVE-2025-3935
- “Important Security Update for ConnectWise ScreenConnect,” BornCity, Apr. 2025. [Online]. Available: https://borncity.com/win/2025/04/25/important-security-update-for-connect-wise-screenconnect/
- “Code Injection Attacks Using Publicly Disclosed ASP.NET Machine Keys,” Microsoft Security Blog, Feb. 2025. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/
- “ASP.NET ViewState Risks,” CinchOps, Apr. 2025. [Online]. Available: https://cinchops.com/asp-net-injection/
