ConnectWise has sent out an urgent security alert for its ScreenConnect remote desktop software This article explores keys screenconnect vulnerability. . It reveals a serious cryptographic flaw that could let attackers who aren't logged in steal server-level machine keys and take over session authentication.

The flaw, known as CVE-2026-3564, affects all versions of ScreenConnect before 26.1 and has a CVSS score of 9.0, which puts it in the critical-to-important severity tier. The main problem is how older versions of ScreenConnect saved unique machine keys and cryptographic identifiers for each server instance. These keys were stored in plain text in server configuration files. This means that an attacker who gets into the filesystem or configuration data could get this information without needing higher privileges on the target system.

Extract Keys for ScreenConnect Vulnerability After being taken out, the machine keys can be used to make or change session authentication tokens, which lets them pretend to be real sessions and get around access controls. The vulnerability is classified as CWE-347 (Improper Verification of Cryptographic Signature), which points to the main problem: the software didn't check these cryptographic parts well enough to make sure they were safe to use for authentication decisions. The CVSS vector shows that the network can be exploited without any special permissions or user interaction, but the high attack complexity means that certain conditions must be met.

The scope is marked as "Changed," which means that a successful exploit could affect more than just the vulnerable component. This is a big worry in enterprise remote access environments where ScreenConnect is widely used.

ConnectWise has given this vulnerability a Priority 1 (High) rating, which means that it is either being actively targeted or is at a higher risk of being exploited in the wild. Companies that have ScreenConnect installations on their own servers are especially vulnerable and should treat fixing the problem as an emergency change, ideally within days of the advisory's release. The new version of ScreenConnect, 26.1, fixes the problem by adding encrypted storage and better key management for machine key material.

This makes it much less likely that someone will be able to get the keys without permission, even if the server's integrity is only partially compromised. Cloud-hosted ScreenConnect instances don't need any action because ConnectWise has already made changes on the backend. But partners who are on-site must manually download version 26.1 from the official ScreenConnect download page. Before the update can be applied, maintenance licenses that have expired must be renewed.

Because of the almost-critical CVSS score and Priority 1 classification, security teams in charge of on-premises ScreenConnect deployments should patch right away and check session logs for any strange authentication activity that could mean someone tried to exploit the system before., LinkedIn, and X for daily news about cybersecurity. Get in touch with us to have your stories featured.