Screenconnect

screenconnect

Vendor: Connectwise • 8 CVEs

CVEs (8)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-14823 1Connectwise 1Screenconnect Jan 16, 2026 Dec 18, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint...Show more In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components.Show less
CVE-2025-14265 1Connectwise 1Screenconnect Jan 16, 2026 Dec 11, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or adm...Show more In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.Show less
CVE-2025-3935 1Connectwise 1Screenconnect Oct 24, 2025 Apr 25, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by...Show more ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.Show less
CVE-2024-1709 1Connectwise 1Screenconnect Feb 26, 2026 Feb 21, 2024 N/A· v4 10.0 CRITICAL· v3 N/A· v2 ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical...Show more ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.Show less
CVE-2024-1708 1Connectwise 1Screenconnect Apr 28, 2026 Feb 21, 2024 N/A· v4 8.4 HIGH· v3 N/A· v2 ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.
CVE-2023-47257 1Connectwise 2Automate Screenconnect May 7, 2025 Feb 1, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via crafted messages.
CVE-2023-47256 1Connectwise 2Automate Screenconnect Jun 17, 2025 Feb 1, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings
CVE-2022-36781 1Connectwise 1Screenconnect Nov 21, 2024 Sep 28, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom access tokens due to inadequate rate-limiting controls in the default configuration. Attackers could exp...Show more ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom access tokens due to inadequate rate-limiting controls in the default configuration. Attackers could exploit this vulnerability to gain unauthorized access by repeatedly attempting access code combinations. ConnectWise has addressed this issue in later versions by implementing rate-limiting controls as a preventive measure against brute force attacks.Show less