Cyber Resilience

CVE-2025-3935

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 25 April 2025

Published
25 April 2025
Modified
24 October 2025
KEV Added
02 June 2025
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0615 91.0th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3935 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Connectwise Screenconnect. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

ScreenConnect versions 25.2.3 and earlier are affected by a ViewState code injection issue that stems from ASP.NET Web Forms behavior rather than a flaw introduced by the product itself. The software uses Base64-encoded ViewState data protected by machine keys to maintain page state; when those keys are known, an attacker can craft a malicious ViewState payload that results in remote code execution on the server. The vulnerability carries a CVSS 3.1 score of 8.1 and is tracked under CWE-502.

An attacker must first obtain privileged system-level access to retrieve the machine keys before they can send a crafted ViewState to the ScreenConnect web interface. With the keys in hand, the attacker can achieve arbitrary code execution on the server. The issue has no direct impact on the ScreenConnect client component.

ConnectWise advisories and the 2025.4 release notes state that the patch disables ViewState entirely and removes any dependency on it. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog. Its EPSS score rose materially from a low baseline to a peak of 0.1550 on 2026-02-20 before receding, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note…

more

that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.

CWE(s)
KEV Date Added
02 June 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

connectwise
screenconnect
≤ 25.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Least privilege directly blocks the required initial step of obtaining privileged system-level access to retrieve ASP.NET machine keys.

prevent

Flaw remediation requires applying the 2025.4 patch that disables ViewState and removes the dependency entirely.

prevent

Cryptographic key management controls protect the machine keys whose compromise enables the malicious ViewState payload.

References