Blog

Security Bulletin: ScreenConnect Authentication Trust Vulnerability and Hardening Advisory

ScreenConnect

Date: March 19, 2026
Severity: High
Affected Product: ConnectWise ScreenConnect (versions prior to 26.1)

Executive Summary

Critical Path Security is advising clients of a recently disclosed security concern impacting ConnectWise ScreenConnect related to the potential abuse of ASP.NET machine key material used for authentication trust.

If cryptographic material associated with a ScreenConnect instance is exposed, a threat actor may be able to forge or manipulate trusted application data. This could result in unauthorized access, session hijacking, and privilege escalation within the platform.

ConnectWise has released version 26.1 to address this risk through enhanced protection and rotation of cryptographic material.

Immediate action is recommended.

Technical Overview

ScreenConnect relies on ASP.NET machine keys to sign and validate protected application data, including authentication tokens and session state.

Under normal conditions, these keys ensure:

  • Data integrity

  • Authenticity of session information

  • Protection against tampering

However, if machine key material becomes accessible through:

  • Misconfigured backups

  • Exposed configuration files

  • Compromised systems

  • Unauthorized administrative access

An attacker may be able to:

  • Generate valid authentication tokens

  • Modify protected session data

  • Bypass authentication controls

  • Execute actions as a trusted or privileged user

This effectively undermines the trust model of the application.

Risk Impact

Successful exploitation may allow:

  • Unauthorized access to ScreenConnect instances

  • Hijacking of active remote sessions

  • Privilege escalation within the platform

  • Unauthorized administrative actions

  • Potential downstream compromise of managed endpoints

Given ScreenConnect’s role in remote access and management, this risk extends beyond the application itself and into the broader enterprise environment.

Observed Activity

Security researchers have reported active attempts to abuse disclosed ASP.NET machine key material in the wild.

While this advisory is focused on hardening and risk reduction, the presence of exploitation attempts indicates that threat actors are aware of and pursuing this attack path.

Vendor Response

ConnectWise has implemented the following security improvements in ScreenConnect version 26.1:

  • Enhanced protection of instance-specific cryptographic material

  • Ability to regenerate machine key material on demand

  • Improved integrity controls around authentication mechanisms

These changes reduce both the likelihood and duration of potential abuse if key material is exposed.

Recommended Actions

Critical Path Security recommends the following immediate steps:

1. Update Immediately

  • Upgrade all ScreenConnect instances to version 26.1 or later

2. Rotate Cryptographic Material

  • Regenerate machine keys where possible, especially if exposure is suspected

3. Restrict Access to Sensitive Data

  • Limit access to:

    • Application configuration files

    • Backup archives

    • System snapshots

4. Review Access Controls

  • Validate least privilege access at both:

    • Application level

    • Server level

5. Monitor for Suspicious Activity

  • Review logs for:

    • Unusual authentication events

    • Unexpected administrative actions

    • Session anomalies

6. Secure Backups and Artifacts

  • Ensure backups and exported configurations are:

    • Encrypted

    • Stored securely

    • Not accessible to unauthorized users

7. Validate Extensions

  • Confirm all ScreenConnect extensions are:

    • Trusted

    • Up to date

    • Actively maintained

Detection and Monitoring Considerations

Organizations should prioritize detection of:

  • Abnormal session creation or reuse

  • Authentication events without corresponding login activity

  • Privileged actions originating from unexpected sources

  • Changes to configuration or authentication settings

Integration with SIEM and centralized logging is strongly recommended.

Conclusion

This issue highlights a critical reality in modern application security:

When cryptographic trust is compromised, traditional authentication controls become unreliable.

For platforms like ScreenConnect, which sit at the center of remote access and administrative control, the impact is amplified significantly.

Organizations should treat this advisory as a priority and take immediate steps to update, secure, and monitor their environments.

References

  • Canadian Centre for Cyber Security Advisory AV26-257

  • ConnectWise ScreenConnect Security Bulletin (March 17, 2026)