ConnectWise just dropped another critical ScreenConnect vulnerability. If you’re running an on-prem deployment, you need to patch today. Not this week. Today.

Here’s the flaw: CVE-2026-3564, scored 9.0 on CVSS 3.1. Earlier versions of ScreenConnect stored unique machine keys in server configuration files in plaintext. An attacker who gets access to those files can extract the keys, forge session tokens, and impersonate legitimate users. They don’t need to break your password. They need your config file. That’s a different class of attack.

NIST’s official description says the flaw allows “unauthorized access, including elevated privileges, in certain scenarios.” ConnectWise’s version is more direct: an actor with server-level access to the cryptographic material can authenticate as anyone, do anything, go anywhere inside ScreenConnect.

Fix: upgrade to ScreenConnect 26.1. That version encrypts machine key storage and tightens key management throughout the product.

Who’s Exposed

Cloud-hosted ConnectWise customers were automatically upgraded. You’re fine.

On-prem customers running anything older than 26.1 are exposed. That’s a meaningful slice of the MSP market — plenty of shops run on-prem ScreenConnect either by preference or because their clients require it. If you’re in that group, check your version number right now.

ConnectWise told BleepingComputer they don’t have confirmed evidence of active exploitation of this specific CVE. But they also noted researchers have observed attempts to abuse disclosed machine key material in the wild. The window between “no confirmed exploitation” and “actively being hammered” closes fast on tools this widely deployed.

There are also unverified claims that Chinese threat actors have been exploiting similar machine key weaknesses for years. That’s not confirmed, but it’s not nothing either.

This Is the Second Time in Under a Year

Last June, CISA warned that hackers were actively exploiting a different ScreenConnect vulnerability from May 2025 — a ViewState code injection flaw. That one involved a nation-state actor and ConnectWise brought in Mandiant to clean up.

ConnectWise’s chief product officer was careful to say CVE-2026-3564 is “not the same issue” as last year’s attack. That’s probably true. But two critical vulnerabilities in the same product inside twelve months is a pattern worth naming. The broader reality is that your MSP tools are becoming the attack surface. The root cause may be different each time, but the lesson is the same: ScreenConnect is a high-value target, it’s deployed everywhere, and attackers know it.

ConnectWise has committed to ongoing security hardening. Their statement: “We have taken additional steps over the past year to reduce attack surface across our products, including removing prior dependencies, strengthening key management practices, and expanding our internal review and hardening processes.”

That’s the right language. The next move is showing it over time, not just after a CVE drops.

What to Do Monday Morning

If you run cloud-hosted ScreenConnect: You’re already on 26.1. Verify it in your admin portal anyway.

If you run on-prem ScreenConnect:

  1. Check your current version
  2. If it’s older than 26.1, upgrade immediately
  3. After upgrading, review access to your server configuration files — who has it, who shouldn’t
  4. Check authentication logs for anything unusual over the past 30 days
  5. Rotate any keys or credentials that may have been stored near the config files
  6. Make sure any out-of-maintenance licenses are renewed before upgrading — ConnectWise requires it

For your clients: The perimeter-based security model is already gone — attackers are logging in with real credentials, not breaking through firewalls. If you manage client endpoints via ScreenConnect and you’ve been running a vulnerable version, you need to communicate this. Don’t wait for them to ask. The conversation is much easier when you’re the one initiating it, and the one who already patched.

The Stack Conversation This Starts

This is the kind of event that forces a real conversation about your PSA and RMM security posture. ScreenConnect is a privileged tool. It sits on top of your clients’ endpoints. A compromised ScreenConnect instance isn’t just a headache — it’s a vector into everything your clients trust you to protect.

If you’ve been running out-of-maintenance licenses to avoid upgrade costs, that calculus just changed. The license renewal is cheaper than the breach response, and you already know it.

Patch. Then audit. Then document what you did. This is exactly the kind of incident response action that differentiates MSPs who take security seriously from those who just market it. The Cisco firewall zero-day interlock earlier this year showed the same pattern — trusted infrastructure becoming an entry point.