Remote Maintenance ScreenConnect: Critical vulnerability allows code execution

In the remote maintenance software ScreenConnect from Connectwise, attackers can exploit a critical security vulnerability to install their extensions on the server. Updated software is intended to resolve the issue.

The vulnerability description states that "server-side validation and integrity checking within the extension subsystem allow the installation and execution of untrusted or arbitrary extensions by authenticated or administrative users." Abuse of this behavior could lead to the execution of custom code or unauthorized access to the app's configuration data. "The issue exclusively affects the ScreenConnect server component; host and guest clients are not affected," the authors of the advisory clarify (CVE-2025-14265, CVSS 9.1, risk "critical").

Updated Software

Connectwise has released the ScreenConnect 25.8 Security Patch. The update is intended to correct the issue by strengthening server-side validation and integrity checking during extension installation, "and generally improving platform security and stability," as Connectwise writes in a security advisory. Deviating from the CVSS risk assessment, Connectwise considers the issue important but rates the priority as only moderate. The decisive factor is that authorization by malicious actors is necessary to exploit the vulnerability.

The manufacturer has already distributed the updated software for cloud products. However, those using the software on-premises should download and install the updates from the ScreenConnect website. Both servers and guest clients should be updated to version 25.8 (or newer). The company also provides instructions that administrators should follow.

IT managers should ensure that the update is carried out promptly. ScreenConnect vulnerabilities are highly sought after by cybercriminals. For example, attacks on ScreenConnect became known in June. Additionally, ScreenConnect administrators are targeted by spearphishing attacks.

(dmk)