A critical vulnerability has been identified in ScreenConnect™ servers that allows an authorized administrator to install a malicious extension, leading to arbitrary code execution. Successful exploitation could result in a complete compromise of the server, unauthorized access to sensitive configuration data, and a pivot point for further attacks into the network. Organizations are urged to upgrade to the patched version immediately to mitigate this high-risk threat.

The vulnerability exists within the extension subsystem of the ScreenConnect server. Insufficient server-side validation and a lack of integrity checks fail to properly verify extensions before installation. An attacker with administrative or authorized access to the ScreenConnect server can exploit this by crafting a malicious extension and using the legitimate installation mechanism to deploy it. Once installed, the malicious code within the extension would execute with the privileges of the ScreenConnect server application, allowing the attacker to run arbitrary code, access or modify application configuration files, and potentially gain full control over the underlying server.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could have a severe impact on business operations, leading to a complete compromise of the ScreenConnect remote access infrastructure. Potential consequences include the exfiltration of sensitive data stored on or managed by the server, disruption of critical IT support and remote management capabilities, and the server being used as a foothold for lateral movement across the corporate network. The reputational damage and financial loss resulting from a breach of this central management tool could be significant.

Immediate Action: Immediately upgrade all ScreenConnect™ server instances to version 25.8 or a later version. The vendor has released this version with enhanced server-side configuration handling and integrity checks that prevent the installation of untrusted extensions. After patching, review server and application logs for any unauthorized or suspicious extension installation activity that may have occurred prior to the update.

Proactive Monitoring: Monitor ScreenConnect audit logs for unusual or unscheduled extension installation events. On the server, monitor for new or unexpected child processes being spawned by the ScreenConnect service. Implement network monitoring to detect and alert on anomalous outbound traffic from the ScreenConnect server, which could indicate a command-and-control (C2) connection.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Strictly limit administrative access to the ScreenConnect server to a minimal number of highly trusted personnel.
• Implement a rigorous change management process that requires multi-person approval for any new extension installation.
• Use application whitelisting or endpoint detection and response (EDR) solutions on the server to prevent the execution of unauthorized binaries or scripts.
• Isolate the ScreenConnect server in a segmented network zone with strict firewall rules to limit potential lateral movement.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the potential for complete server compromise, we strongly recommend that organizations prioritize the immediate patching of all vulnerable ScreenConnect™ servers to version 25.8 or newer. Although the vulnerability is not currently listed on the CISA KEV catalog, its severity warrants urgent attention. Organizations should assume that administrator accounts could be compromised and must apply the patch as the primary defense, rather than relying solely on access controls.