[CDP-development] Fw: For Anyone that uses ConnectWise ScreenConnect
Galusha, Kevin
KGalusha at clackamas.us
Fri Mar 20 10:21:57 PDT 2026
Cyber Disruptors,
Please see the information below regarding ConnectWise ScreenConnect.
Thank You,
Kevin Galusha, CISSP
Cybersecurity Architect
Clackamas County Technology Services
(503)723-4960
KGalusha at clackamas.us<mailto:KGalusha at clackamas.us>
www.clackamas.us<http://www.clackamas.us/>
________________________________
From: Kainoa, Leslie <leslie.kainoa at cisa.dhs.gov>
Sent: Friday, March 20, 2026 10:15 AM
To: Galusha, Kevin <KGalusha at clackamas.us>
Subject: FW: For Anyone that uses ConnectWise ScreenConnect
Warning: External email. Be cautious opening attachments and links.
________________________________
________________________________
Hi Kevin, The message below is from the Alaska Cyber Disruption Group. The Alaska CSC is the Chair and has been sharing his take on relevant cyber information. We have his permission to share as is. Will forward all relevant messages from this point on. Thank you very much!
[https://image-processing-service.us-1.mimecastcybergraph.com/v2/banners?e=LDyag6OBSCcQPY-UbRWfkrKOhaiL952XgVnQd8ADqk2LlaAdFfWtltUvAgOzuBLhMUYI8ghpO3x5ZemzL4tAVHy8GBYPTXFRIw1in1oWRi072UPlwdYohklkSLlgIxP9oqvSEM4wcdqfiVB1CIBHYYJ_zM6VHh1-lMyZYPBTaJjoN7b0t1aoA_TdoeW3vqtE_UQ0IMqHxefmtL4JM_-xBcL-PrKqteZp8rXbeiER5Qm4PAejUXUYf8KjPJQLhcKke1XMZBdPveOaIBJ-qXHsvaABIG0UvPy1_0qc-WZJ8vMpeVwpG1PKgb538dL7PwlevuwTRl7YoNO4y0yvo6tF4kI-sDtYsUFe3v2sy7gfOTCDVUa2appVQwuXZXmXxY8IIZY6jl_ziANkSIC2289QJT1xK251s5NZRhE4hCuwKvDQPTm5_Amh2KU=]<https://login-us.mimecast.com/u/login/?gta=apps&link=cybergraph-report/eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0.RvWewxk6B14g3EQSCwPM0QsfDGQnrR1Dhfi2vi5MiEWijfXMQm4Sik99GHu_GUIjCjymFftpGQmE7HSctY9T6s1PY_HlxJaTubyFO-Y4C-ZWuZeG3E7NNZR1_vHaf52xGGnuM7if2IDPmi8pn-C2KrEeiaB0Su0w2AVUV7zMG1wQlQzDnuLQ5YfcVjk7mzSSpfRXsFAkj96owwIoBU4j9uRebUSXasxEwsMzO4fdDfMxJb_8fA43TPdlxqivIrNKl9f-7KParFB3zRN7PQNkPBxVluyOIIpEVI6wRU8zP2w62gdaUw39wrBJht3Aanf7N5-GA9I0NizrM4cO9civHw.K949xwVElvtVCQw_.tx7udDY5kuVCHluHbq4r6IoDBljiD5OWIz4Ss5vvYidfx8eH9H6OVJOtqXxlud8qntowEKGLXn7HNt37NFrpHMy5J_KkUOGZ6-kKFbli8P0uvjAwxPnMdrZLO0x7CnGclA8AAAnS8XaC8zXR94oclDq54z_sAfuNQOwe7BaoivjXonx-y7yExNFFXuL3AqwaypbjZHv4rb_XaLKSw4zGy7YEeT6y9h_xFgsOtncfBTUUqvygq8mrOCbiXV7jdeYGnhZchKSBNSALGswOX65QPLXWT0A33pPX1meQUYScgJJibnSuBZX-nrzDghJrl-yFYgSnsiWDQgiwkdyq1iyq_P7QjoeMHkmkjcr47jgKLuTOlQs5zxK3gT5PlhkwA8AzoFtIcjcItNcq4cHluYjRR6VpRDZIdmyOhDaYQqeDH-Cl0nukwMf4IWHhvlWZhbJuxgxbUk2ylnxN-fWHhW5t_0Nf-oOfXS_1jlzIS_kj6-A.cTrlfwkUv1ag9YXO3bmuPA>
CGBANNERINDICATOR
Hi Kevin,
The message below is from the Alaska Cyber Disruption Group. The Alaska CSC is the Chair and has been sharing his take on relevant cyber information. We have his permission to share as is. Will forward all relevant messages from this point on. Thank you very much!
Respectfully,
Leslie Ann Kainoa, CISSP, GICSP, CDPSE
Cybersecurity State Coordinator
Cybersecurity and Infrastructure Security Agency
Region 10 (OR)
(503) 462-5626
From: Mark Breunig <mark.breunig at alaskacybergroup.org>
Sent: Friday, March 20, 2026 10:01 AM
Subject: For Anyone that uses ConnectWise ScreenConnect
CAUTION: This email originated from outside of CISA/DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Contact your component SOC with questions or concerns.
Hi Everyone,
Sending this out for awareness:
A critical vulnerability has been discovered in ConnectWise ScreenConnect which could allow threat actors with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.
ConnectWise has released a security update <https://urldefense.us/v3/__https:/urldefense.proofpoint.com/v2/url?u=https-3A__click.communications.cyber.nj.gov_-3Fqs-3DeyJkZWtJZCI6IjNkZjhhM2NjLTYyNGMtNDIxNS1hODA5LWM1ZmUyZjRmMGU2NSIsImRla1ZlcnNpb24iOjEsIml2IjoiWEo5N1U4ME90VzFic0tvSkVVeHc3dz09IiwiY2lwaGVyVGV4dCI6ImZtNWw0L29POUZtemphSTBSeFZldVoxSTJDbzdHRGNjR04wWlJEZjMzQmcwcE92OGh5Sk9NUk9jUGRJZTR2UXNVVlI1aDhBbnV3c3JCNE1lMDJPOER2NGVvaURZeXV6NlhKOTdVODBPdFcxYnNLb0pFVXh3N3c9PSIsImF1dGhUYWciOiJLd2VESHROanZBNytIcUlnMk1ycytnPT0ifQ-253D-253D&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=CHF8RS5RD8ABJLdLVVal90iKCKVWbHlOkJbUV4ODBxrVwDW8JfLNzpoyCTM4eHAt&m=zXhCJqpWfwmddiWp-Ic2KIIaT9Ka6Y7KBARB3b51UflFwHAmmGw2ZrrrX3S5sgt0&s=OCK75Hqatc5Mfb3l39E6GPNyYJOTwYq5ow6n3vTciwk&e=__;!!BClRuOV5cvtbuNI!DW9iO1DWwA3ZY5ppC0EtLEVxnReV12Mq23C74cG1BN4xumjBSEJh11PoeSeoyZ_tPGezjl3zewvI8TXNjJgdjr3tVnA7dXMTmuaNWVY$> for ScreenConnect that addresses issues related to how server-level cryptographic material is protected. Earlier versions of ScreenConnect stored unique machine keys per instance within server configuration files, which under certain conditions could allow unauthorized actors to extract this material and misuse it for session authentication. ScreenConnect version 26.1 introduces enhanced protections for machine key handling, including encrypted storage and management, reducing the risk of unauthorized access in scenarios where server integrity may be compromised.
Systems Affected
* ScreenConnect version prior to 26.1
Recommendations
* Apply appropriate updates provided by ConnectWise to vulnerable systems immediately after appropriate testing.
* Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
* Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them.
* Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
* Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.
* Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
References
ConnectWise:
https://www.connectwise.com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin<https://urldefense.us/v3/__https:/urldefense.proofpoint.com/v2/url?u=https-3A__click.communications.cyber.nj.gov_-3Fqs-3DeyJkZWtJZCI6IjViZDVjNDQ0LWJkZTAtNDg3ZS1iZjE4LTNjNzc1ZTY5NzhmMSIsImRla1ZlcnNpb24iOjEsIml2IjoiRXRmUHVnYmNpbVNDR3ZFaEk5SjNtUT09IiwiY2lwaGVyVGV4dCI6IkdlQUhWNnIrT2Q4QjVpRVc2M29XV2NNL2ZJZGV6RWgzdlROMDBhcXBSTmlmWlJoWVZVR1BMQnhvOFdUc0c5VGFYUERHZ0ZiOUFoV3FDQlUyM25ZQVl6T1M1bjZMdjNsOEV0ZlB1Z2JjaW1TQ0d2RWhJOUozbVE9PSIsImF1dGhUYWciOiJxZ2dWTnQ1MkFHTXprdVoraTc5NWZBPT0ifQ-253D-253D&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=CHF8RS5RD8ABJLdLVVal90iKCKVWbHlOkJbUV4ODBxrVwDW8JfLNzpoyCTM4eHAt&m=zXhCJqpWfwmddiWp-Ic2KIIaT9Ka6Y7KBARB3b51UflFwHAmmGw2ZrrrX3S5sgt0&s=TipuYU09wixxQoOLSDDxyKJmo_DfgFh5tiDqAfoNGsw&e=__;!!BClRuOV5cvtbuNI!DW9iO1DWwA3ZY5ppC0EtLEVxnReV12Mq23C74cG1BN4xumjBSEJh11PoeSeoyZ_tPGezjl3zewvI8TXNjJgdjr3tVnA7dXMTAY2dYFU$>
CVE:
https://www.cve.org/CVERecord?id=CVE-2026-3564<https://urldefense.us/v3/__https:/urldefense.proofpoint.com/v2/url?u=https-3A__click.communications.cyber.nj.gov_-3Fqs-3DeyJkZWtJZCI6ImRiM2IyNTQ3LWRmM2UtNGNhMy05NjA0LTBkY2VhOWNkYjJjMyIsImRla1ZlcnNpb24iOjEsIml2IjoicnREY1dZbU5rWmFIOXVMdkFQSUpadz09IiwiY2lwaGVyVGV4dCI6IlJLWTlGZ015bjdiMjdjTDVVMkZqZk1aOU1Lc3VHWkQyL3liMkV1aTRjRFNvSEp0eGs2YUo4amlUV2hEVmJYdU10eUsyckVMaE5qOUd4ZHZvdW50UUx4UnRHdVNlZWFhWXJ0RGNXWW1Oa1phSDl1THZBUElKWnc9PSIsImF1dGhUYWciOiJSc1hiNkxwN1VDOFViUnJrbm5tbW1BPT0ifQ-253D-253D&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=CHF8RS5RD8ABJLdLVVal90iKCKVWbHlOkJbUV4ODBxrVwDW8JfLNzpoyCTM4eHAt&m=zXhCJqpWfwmddiWp-Ic2KIIaT9Ka6Y7KBARB3b51UflFwHAmmGw2ZrrrX3S5sgt0&s=HwJBsgpvmSKlxpQDX2oADHzVIRIoLrTyESv5kYu2XT8&e=__;!!BClRuOV5cvtbuNI!DW9iO1DWwA3ZY5ppC0EtLEVxnReV12Mq23C74cG1BN4xumjBSEJh11PoeSeoyZ_tPGezjl3zewvI8TXNjJgdjr3tVnA7dXMTbTNZUJg$>
Reporting
The Alaska Cyber Group encourages recipients who discover signs of malicious cyber activity to contact the us via either email or phone.
Respectfully,
Mark Breunig
Alaska Cyber Group
Mobile: 907-795-8150
Email: mark.breunig at alaskacybergroup.org<mailto:mark.breunig at alaskacybergroup.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260320/bc6c336a/attachment-0001.html>
More information about the CDP-development
mailing list