ScreenConnect Vulnerability Allows Hackers to Extract Unique Machine Keys and Hijack Sessions

Home Cyber Security News ScreenConnect Vulnerability Allows Hackers to Extract Unique Machine Keys and Hijack Sessions ConnectWise has issued an urgent security advisory for its ScreenConnect remote desktop software, disclosing a critical cryptographic vulnerability that could allow unauthenticated attackers to extract server-level machine keys and hijack session authentication. The flaw, tracked as CVE-2026-3564, affects all ScreenConnect versions prior to 26.1 and carries a CVSS score of 9.0, placing it firmly in the critical-to-important severity tier. At the core of the issue is how older versions of ScreenConnect stored unique machine keys and cryptographic identifiers tied to each server instance. These keys were written in plaintext within server configuration files, meaning that under certain conditions, an attacker who gains access to the filesystem or configuration data could extract this material without needing elevated privileges on the target system. ScreenConnect Vulnerability Extract Keys Once extracted, the machine keys can be weaponized to forge or manipulate session authentication tokens, effectively impersonating legitimate sessions and bypassing access controls. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature), highlighting the root cause: the software’s failure to adequately verify the integrity of these cryptographic components before trusting them for authentication decisions. The CVSS vector indicates network exploitability with no privileges or user interaction required, though the high attack complexity reflects that specific conditions must be met. Notably, the scope is marked as Changed, meaning a successful exploit could impact resources beyond the vulnerable component itself, a significant concern in enterprise remote access environments where ScreenConnect is widely deployed. ConnectWise has assigned this vulnerability a Priority 1 (High) rating, indicating it is either actively being targeted or at elevated risk of exploitation in the wild. Organizations running on-premises ScreenConnect deployments are particularly exposed and should treat remediation as an emergency change, ideally within days of the advisory’s release. The updated ScreenConnect version 26.1 addresses the flaw by introducing encrypted storage and enhanced key management for machine key material, significantly reducing the risk of unauthorized extraction even if server integrity is partially compromised. Cloud-hosted ScreenConnect instances require no action, as ConnectWise has already applied mitigations on the backend. On-premises partners, however, must manually upgrade to version 26.1 through the official ScreenConnect download page. Lapsed maintenance licenses must be renewed before the update can be applied. Given the near-critical CVSS score and Priority 1 classification, security teams managing on-premises ScreenConnect deployments should prioritize patching immediately and audit session logs for any anomalous authentication activity that could indicate prior exploitation attempts. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News LeakNet Scales Ransomware Operations With ClickFix Lures and Stealthy Deno Loader Cyber Security News Critical Telnetd Vulnerability Enables Remote Attacker to Execute Arbitrary Code via Port 23 Cyber Security News ForceMemo Hijacks GitHub Accounts, Backdoors Hundreds of Python Repos via Force-Push Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026