ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks

Cyber Security / By

Jun 12, 2025Ravie LakshmananVulnerability / Software Security

\"\"

ConnectWise has announced plans to rotate the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise remote monitoring and management (RMM) executables due to security concerns.

The decision to rotate certificates was made in response to concerns raised by a third-party researcher regarding how ScreenConnect handled certain configuration data in earlier versions.

While specifics about the issue were not publicly disclosed, additional information has been provided in a non-public FAQ accessible to ConnectWise customers (subsequently shared on Reddit) –

The concern revolves around ScreenConnect utilizing the ability to store configuration data in an unsigned area of the installer that is part of the installer itself. This information is used to pass down configuration details for the connection between the agent and server, such as the callback URL for the agent, without impacting the signature. Although the unsigned area is utilized for customization by the software and others, it could potentially lead to an insecure design when combined with the functionalities of a remote control solution, as per modern security standards.

In addition to issuing new certificates, ConnectWise is rolling out an update aimed at enhancing how the aforementioned configuration data is handled in ScreenConnect.

\"Cybersecurity\"

The certificate revocation process is scheduled to take place by June 13 at 8 p.m. ET (June 14, 12 a.m. UTC). ConnectWise has emphasized that this issue does not involve a breach of its systems or certificates.

It is important to note that ConnectWise is already in the process of updating certificates and agents across all its cloud instances of Automate and RMM automatically.

However, users of on-premise versions of ScreenConnect or Automate are advised to update to the latest build and ensure all agents are updated before the cutoff date to prevent any potential service disruptions.

\”We had already planned enhancements to certificate management and product hardening, but these efforts are now being implemented on an accelerated timeline,\” stated ConnectWise. The company acknowledges the potential challenges this may pose and is committed to assisting users through the transition.

This development follows shortly after ConnectWise disclosed that a suspected nation-state threat actor compromised its systems and impacted a small number of customers by exploiting CVE-2025-3935 for ViewState code injection attacks.

Furthermore, attackers are increasingly leveraging legitimate RMM software such as ScreenConnect to gain covert, persistent remote access, enabling them to operate discreetly and avoid detection.

Known as living-off-the-land (LotL), this attack technique allows threat actors to exploit the software’s inherent functionalities for remote access, file transfers, and command execution.

Enjoyed this article? Follow us on Twitter and LinkedIn for more exclusive content.

Related Posts