CVE-2026-3564

Critical

Published: 17 March 2026

Published

17 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0002 5.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3564 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Connectwise (inferred from references). Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identification, reporting, and timely remediation of the specific flaw in ScreenConnect's authentication mechanism that enables exploitation when cryptographic material is accessed.

SC-12 Cryptographic Key Establishment and Management good match

prevent

Establishes and protects cryptographic keys used for authentication, preventing unauthorized access to the server-level material required to trigger the vulnerability.

IA-5 Authenticator Management good match

prevent

Mandates protection of authenticators, including server cryptographic material for authentication, commensurate with the information's security category to block misuse.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1550 Use Alternate Authentication Material Lateral Movement

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

attack.mitre.org →

Why these techniques?

Vuln in public-facing ScreenConnect server enables remote exploitation for unauthorized access (T1190) and elevated privileges (T1068) via misuse of obtained cryptographic auth material (T1550).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.

Deeper analysisAI

CVE-2026-3564 is a vulnerability in ScreenConnect that involves a condition allowing an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios. This issue, associated with CWE-347 (Incorrect Comparison), was published on 2026-03-17 and carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, high attack complexity, no required privileges or user interaction, and high impacts across confidentiality, integrity, and availability with a change in scope.

An attacker who gains access to the server's cryptographic material for authentication can exploit this vulnerability remotely without privileges. Successful exploitation enables unauthorized access to the ScreenConnect instance, potentially including elevated privileges, allowing full compromise of the affected system in the specified scenarios.

ConnectWise has issued a security bulletin addressing this vulnerability, available at https://www.connectwise.com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin, which provides details on mitigations and patches.