Estimated reading time: 4 minutes
Your Remote Access Tool Could Be Your Biggest Threat
ConnectWise ScreenConnect is one of the most trusted remote-support tools in financial services and healthcare, and it is under active attack right now. Two critical vulnerabilities, one with nation-state fingerprints, have opened a window of exposure for thousands of organizations that haven’t patched yet.
What Happened: Two Paths Into Your Network
In early 2026, ConnectWise disclosed not one but two severe flaws in ScreenConnect. The first, CVE-2024-1708, is a path-traversal vulnerability originally identified in February 2024 but now resurging as part of the new coordinated attack campaigns. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog on April 28, 2026, with a federal remediation deadline of May 12. The second flaw, CVE-2026-3564, landed in March 2026. It carries a CVSS 9.0 critical severity rating on CVE-2026-3564that enables session hijacking via ASP.NET machine-key extraction, allowing attackers to forge trusted authentication and hack directly into your network.
The North Korean APT group Kimsuky and other state-sponsored actors have already been observed weaponizing the path-traversal flaw. What makes this a credible threat is what ScreenConnect actually does: if attackers gain access, they get a tunnel directly into hundreds of your downstream client environments, all at once.
Why This Matters for Your Industry
For Credit Unions / Community Banks:
This crosses from technology into regulatory territory. Your exam cycle includes vendor-management controls, and examiners are watching remote-access tools closely. A compromise doesn’t just expose your data; it exposes your clients’ accounts and their trust in you.
For RIAs and Wealth Management Firms:
The math is similar. Your clients trust you with assets and sensitive financial records. A ScreenConnect breach cascades into client notification, SEC scrutiny, and insurance carriers asking harder questions about your vendor oversight.
For Healthcare Practices:
Operating under HIPAA, where any patient data compromise triggers breach notification, regulatory review, and potential fines, the cost isn’t just technical remediation; it’s the integrity of the relationship between you and your patients.
The shared threat across all three sectors is vendor risk. ScreenConnect is deployed precisely because it’s useful, but that utility is the attack surface. If you haven’t patched, you’re operating with an open door to your internal environment, and the adversaries looking for that door include nation-state actors who have already proven they’re willing to use it.
Your Next Steps
First:
Check your inventory immediately. Confirm whether you’re running ScreenConnect on-premises or using the cloud version. ConnectWise auto-patched cloud tenants, so if you’re a cloud customer, you should reach out to your ConnectWise contact to verify you’re on the latest version. If you’re on-premises, you have no auto-patch. You must manually upgrade to version 26.1 or later, and you should do this before May 12 if you’re in a federal contracting position. The deadline is absolute for federal civilian agencies; for private-sector organizations, it’s an urgency signal.
Second:
Hunt for evidence of exploitation in your ScreenConnect logs right now. Look for unusual session activity, unexpected ASP.NET file uploads (.aspx extensions), and any anomalous access to machine-key functions. If you find evidence, assume breach and escalate to incident response and law enforcement notification.
Third:
Layer in monitoring and detection capability. If you’re managing ScreenConnect in-house, ensure you have 24×7 monitoring, detection and response capability focused on remote-access tools. If you don’t, this is the moment to bring in a partner like TorchLight Secured & Managed IT who can. Nation-state actors don’t announce themselves; detection latency can cost you months of undetected access.
The difference between a patched environment and an exploited one is often just speed. Your competitors and peers in banking, wealth management, and healthcare are moving on this now. The federal deadline of May 12 is the floor, not the target. If you’d like a partner to audit your ScreenConnect posture, hunt for active exploitation, and manage the upgrade, TorchLight specializes in vendor-risk remediation for regulated environments.
TorchLight specializes in managed security services for organizations where security and compliance are non-negotiable. With 18+ years serving regulated industries, 24/7 SOC operations, and deep regulatory fluency across GLBA, HIPAA, and SEC requirements, TorchLight delivers security operations leadership can defend.
Ready to explore what partnership looks like? Schedule a consultation to discuss your organization’s specific security needs and regulatory requirements.