Connectwise revealed that it plans to turn the digital code signing certificates used to sign the executable Files Screenconnect, Connectwise and Connectwise remote monitoring and management (RMM) from the security issues.
Campaign – Note This does it “because of the concern caused by the third researcher on how Screenconnect did with some configuration data in previous versions.”
While the company did not publicly specify the nature of the problem, it shed more light in non -public FAQ only available to its customers (and later shared on Reddit) –
Concerns are related to Screenconnect using the ability to store configuration data in an affordable installation area that is not signed but is part of the installation. We use this ability to transfer configuration information (between agent and server), such as the URL where the agent should call back without acknowledging the invalid signature. However, our software uses an unsigned area and others to set up when combined with the ability to solve remote control it can create an uncertain design according to today’s security standards.
In addition to issuing new certificates, the company said it released an update designed to improve how the Screenconnect is managed by configuration data.
It is expected that the recall of digital certificates will take place until June 13 at 8:00 pm (June 14 12am). Connectwise emphasized that the problem does not involve compromise of its systems and certificates.
It is worth noting that it is automatically connected, already during the process of upgrading certificates and agents in all their cloud instances of automation and RMM.
However, those who use indoors Screenconnect or Automate are required to upgrade until the latest build and confirm that all agents are updated before the cut off date to avoid possible interruptions.
“We have already planned to improve the management and hardening management, but these efforts are now being implemented at an accelerated term,” said Connectwise. We understand that this can create problems and strive to support you through the transition. “
Development occurs only a few days after the company disclosed The fact that the suspected nation-state actor threatened his systems and touched upon a small number of his customers using the CVE-2025-3935 for the ViewState injection code.
It also comes when attackers are increasingly relying on legitimate RMM software like Screenconnect and others Get a hidden, steady remote accessEffectively allowing them to combine with normal activity and fly under the radars.
This attack method, called toilet land (Lotl), allows you to steal the inherent software capabilities for remote access, file transfer and command execution.
