CVE-2025-3935 - ViewState Code Injection Attack Affecting ScreenConnect Versions 25.2.3 and Earlier

ScreenConnect, a popular remote support and remote access software tool, might be susceptible to a ViewState code injection attack. The affected versions include 25.2.3 and all earlier versions. In this post, we'll take a closer look at the vulnerability, explore example code snippets, and provide links to original references.

Background

First, let's understand what ViewState is. ViewState is a mechanism used by ASP.NET Web Forms for preserving the page and control state between round trips. The data is encoded using Base64 and protected by machine keys. ViewState is an essential feature of the ASP.NET Web Forms framework, and it is used by many applications, including ScreenConnect.

The Vulnerability

The ViewState code injection attack risk does not come from a vulnerability introduced by ScreenConnect. Instead, it originates from the platform level behavior of ASP.NET Web Forms. It is important to note that gaining access to these machine keys necessitates privileged system-level access.

If an attacker manages to compromise the machine keys, they could create and send a malicious ViewState to the website with potential for remote code execution on the server.

Here's a loosely written example of how code injection could work

// Malicious ViewState
string maliciousViewState = "AAA...";

// Decode and Deserialize the ViewState
object decodedViewState = Deserialize(Base64Decode(maliciousViewState));

// Execute the code
ExecuteCode(decodedViewState);

Please note this example is for illustrative purposes only and is not a working piece of code.

References

- ScreenConnect Release Notes
- ASP.NET ViewState Overview)

The Patch

ScreenConnect 2025.4 patch addresses this issue by disabling ViewState and removing any dependency on it. It is highly recommended for users of affected versions to update their ScreenConnect installations to the latest patched version to help mitigate any potential ViewState code injection attacks.

Protecting the web server and database server appropriately

In conclusion, while the risk originates from platform level behavior, it is essential to keep your software up-to-date and implement best security practices to ensure the safety of your data and systems. Remember to update your ScreenConnect installations and stay informed of any new developments related to this vulnerability.

Timeline

Published on: 04/25/2025 19:15:49 UTC