CVE-2025-3935 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-04-25

Added to CISA KEV: 2025-06-02 38 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately upgrade on-premises ScreenConnect to version 25.2.4 or later (Cloud instances are already patched)
Monitor ScreenConnect access logs for suspicious authentication attempts or unusual administrative activities
Review system integrity and check for signs of compromise on ScreenConnect servers
Patch priority: CRITICAL - Apply immediately due to active exploitation and RCE capability

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-3935 is a high-severity vulnerability (CVSS 8.1) identified in ConnectWise ScreenConnect versions 25.2.3 and earlier ^[1].

Below is a summary of the known details regarding this vulnerability:

Vulnerability Overview

Nature of Vulnerability: The issue is a ViewState code injection vulnerability ^[5].
Root Cause: It stems from platform-level behavior in ASP.NET Web Forms, which use ViewState to preserve page and control state. Data is encoded using Base64 and protected by machine keys; if these machine keys are compromised, an attacker can create and send a malicious ViewState to the server ^[2].
Impact: Successful exploitation can potentially lead to Remote Code Execution (RCE) on the server, resulting in system compromise or data leakage ^[1] ^[2].

Exploitation and Attack Details

Attack Vector: Network-based ^[1].
User Interaction: None required ^[1].
Active Exploitation/Threat Actors: There is no widespread public documentation confirming active exploitation in the wild or specific attribution to ransomware campaigns or targeted threat actors at this time.
Proof-of-Concept/Exploit Availability: While the vulnerability is well-documented as a theoretical risk involving machine key compromise, there are no widely reported public exploit tools or functional PoCs specifically targeting this CVE in the wild.

Affected Versions and Mitigation

Affected Versions: ConnectWise ScreenConnect versions 25.2.3 and all earlier versions ^[3].
Patch/Mitigation Status: The issue was addressed in ScreenConnect 2025.4, which disables ViewState and removes the application's dependency on it entirely ^[3] ^[2]. Organizations are advised to upgrade to version 2025.4 or later to effectively mitigate the risk ^[4].

Sources

CVE-2025-3935: ViewState Code... - Ameeba Security Research
One such vulnerability is the CVE-2025-3935, which affects ScreenConnect versions 25.2.3 and earlier. This vulnerability arises from an issue with ViewState, a feature used by ASP.NET Web Forms to preserve state information.CVE ID: CVE-2025-3935 Severity: High (8.1 CVSS Score) Attack Vector: Network…
ScreenConnect versions 25.2.3 and earlier versions may be.
Affected versions.If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. T…
CVE-2025-3935 - Overview, Insights & Trends
CVE-2025-3935 affects ScreenConnect versions 25.2.3 and earlier. It is a ViewState code injection vulnerability in ASP.NET Web Forms.The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. Scre…
CVE-2025-3935 | High Vulnerability in ConnectWise ScreenConnect
Vulnerability Details. The vulnerability is described as a ViewState code injection issue affecting ScreenConnect versions 25.2.3 and earlier. ... Affected Versions ScreenConnect versions 25.2.3 and earlier are affected by this vulnerability. Organizations should upgrade to ScreenConnect 2025.4 or l…
CVE-2025-3935 Detail - NVD
ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page ...