By rssfeeds-admin 
The flaw, tracked as CVE-2026-3564, affects all ScreenConnect versions prior to 26.1 and carries a CVSS score of 9.0, placing it firmly in the critical-to-important severity tier.
At the core of the issue is how older versions of ScreenConnect stored unique machine keys and cryptographic identifiers tied to each server instance.
These keys were written in plaintext within server configuration files, meaning that under certain conditions, an attacker who gains access to the filesystem or configuration data could extract this material without needing elevated privileges on the target system.
ScreenConnect Vulnerability Extract Keys
Once extracted, the machine keys can be weaponized to forge or manipulate session authentication tokens, effectively impersonating legitimate sessions and bypassing access controls.
The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature), highlighting the root cause: the software’s failure to adequately verify the integrity of these cryptographic components before trusting them for authentication decisions.
The CVSS vector indicates network exploitability with no privileges or user interaction required, though the high attack complexity reflects that specific conditions must be met.
Notably, the scope is marked as Changed, meaning a successful exploit could impact resources beyond the vulnerable component itself, a significant concern in enterprise remote access environments where ScreenConnect is widely deployed.
ConnectWise has assigned this vulnerability a Priority 1 (High) rating, indicating it is either actively being targeted or at elevated risk of exploitation in the wild. Organizations running on-premises ScreenConnect deployments are particularly exposed and should treat remediation as an emergency change, ideally within days of the advisory’s release.
The updated ScreenConnect version 26.1 addresses the flaw by introducing encrypted storage and enhanced key management for machine key material, significantly reducing the risk of unauthorized extraction even if server integrity is partially compromised.
Cloud-hosted ScreenConnect instances require no action, as ConnectWise has already applied mitigations on the backend. On-premises partners, however, must manually upgrade to version 26.1 through the official ScreenConnect download page.
Lapsed maintenance licenses must be renewed before the update can be applied.
Given the near-critical CVSS score and Priority 1 classification, security teams managing on-premises ScreenConnect deployments should prioritize patching immediately and audit session logs for any anomalous authentication activity that could indicate prior exploitation attempts.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post ScreenConnect Vulnerability Allows Hackers to Extract Unique Machine Keys and Hijack Sessions appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.