ConnectWise has disclosed that it’s planning to rotate the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise remote monitoring and management (RMM) executables due to security concerns.
The company said it’s doing so “due to concerns raised by a third-party researcher about how ScreenConnect handled certain configuration data in earlier versions.”
While the company did not publicly elaborate on the nature of the problem, it has shed more light in a non-public FAQ accessible only to its customers (and later shared on Reddit) –
The concern stems from ScreenConnect using the ability to store configuration data in an available area of the installer that is not signed but is part of the installer. We are using this ability to pass down configuration information for the connection (between the agent and server) such as the URL where the agent should call back without invalidating the signature. The unsigned area is used by our software and others for customization, however, when coupled with the capabilities of a remote control solution, it could create an insecure design pattern by today’s security standards.
Besides issuing new certificates, the company said it’s releasing an update that’s designed to improve how the aforementioned configuration data is managed in ScreenConnect.
The revocation of digital certificates is expected to take place by June 13 at 8 p.m. ET (June 14, 12 a.m. UTC). ConnectWise has emphasized that the issue does not involve a compromise of its systems or certificates.
It’s worth noting that automatically ConnectWise is already in the process of updating certificates and agents across all its cloud instances of Automate and RMM.
However, those using on-premise versions of ScreenConnect or Automate are required to update to the latest build and validate that all agents are updated before the cutoff date to avoid any possible service disruptions.
“We had already planned enhancements to certificate management and product hardening, but these efforts are now being implemented on an accelerated timeline,” ConnectWise said. We understand this may create challenges and are committed to supporting you through the transition.”
The development comes merely days after the company disclosed that a suspected nation-state threat actor breached its systems and affected a small number of its customers by exploiting CVE-2025-3935 to conduct ViewState code injection attacks.
It also comes as attackers are increasingly relying on legitimate RMM software like ScreenConnect and others to obtain stealthy, persistent remote access, effectively allowing them to blend in with normal activity and fly under the radar.
This attack methodology, called living-off-the-land (LotL), makes it possible to hijack the software’s inherent capabilities for remote access, file transfer, and command execution.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool