The flaw, tracked as CVE-2026-3564, has been assigned a CVSS v3.1 score of 9.0 and is already considered at risk of active exploitation, prompting a Priority 1 advisory from the company.
The issue originates from improper verification of cryptographic signatures within ScreenConnect’s authentication architecture, classified under CWE-347.
In vulnerable versions, the application stores unique machine keys directly within server configuration files, exposing sensitive cryptographic material under certain compromise scenarios.
If an attacker gains access to the server environment through misconfiguration, lateral movement, or another exploit, they can extract these machine keys.
Once obtained, the keys can be used to forge authentication tokens, effectively bypassing session integrity controls.
This allows adversaries to hijack legitimate remote desktop sessions without requiring user interaction or credentials, granting full access to connected endpoints.
The impact spans confidentiality, integrity, and availability, as attackers can monitor sessions, execute commands, and potentially deploy further payloads within managed environments.
Although the vulnerability requires a higher level of attack complexity (CVSS vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), the absence of authentication requirements significantly elevates its risk profile.
In practical terms, attackers who successfully breach the server layer can escalate their access rapidly by abusing the exposed cryptographic trust model.
Given ScreenConnect’s widespread use in managed service providers (MSPs) and enterprise IT environments, exploitation could lead to large-scale compromise of downstream client systems, making this flaw particularly dangerous in supply chain or multi-tenant scenarios.
To mitigate the issue, ConnectWise released ScreenConnect version 26.1, which introduces substantial architectural changes to how machine keys are handled.
The update eliminates plaintext storage of keys in configuration files and replaces it with encrypted storage combined with active key management mechanisms.
This redesign ensures that even if attackers gain partial access to the server, they cannot easily extract or reuse cryptographic material to impersonate sessions.
The new model significantly strengthens authentication workflows and reduces the risk of session forgery.
All ScreenConnect versions before 26.1 are vulnerable to CVE-2026-3564. Organizations running outdated deployments are exposed to potential session hijacking attacks and should consider their environments at immediate risk.
ConnectWise has emphasized that this vulnerability should be treated as an emergency patch scenario.
The recommended actions depend on deployment type:
Security teams should also review server access logs and monitor for anomalous session behavior, particularly unauthorized session takeovers or unusual authentication patterns.
This vulnerability highlights the risks associated with improper cryptographic key management in remote access tools.
Storing sensitive keys in accessible configurations creates a single point of failure that attackers can exploit to undermine trust mechanisms across entire environments.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post ScreenConnect Flaw Lets Hackers Steal Machine Keys and Hijack Sessions appeared first on Cyber Security News.
Irdeto has been approved by the Coalition for Content Provenance and Authenticity (C2PA) for the…
The post FCC Selects The ioXt Alliance To Administer U.S. Cyber Trust Mark Program appeared first…
The post 23 Major News Sites Have Blocked The Wayback Machine — Digital History In…
The post NAB Show: Ross Video & HighField AI to Deliver AI-Assisted Graphics Creation appeared…
The post Sinclair & ONE Media Technologies Outline NextGen TV, Tech Plans For NAB Show…
Ross Video will spotlight support for the Media eXchange Layer initiative and the Joint Taskforce…
This website uses cookies.