CVE-2025-14265CRITICAL 9.1EPSS p24.0%

CVE-2025-14265CVE-2025-14265

Description

In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS0.32% probability of exploitation · percentile 24.0% · 2026-06-18T12:00:27Z
Published2025-12-11
Last modified2026-01-16

Underlying weaknesses· 1

CWE-494

References

  1. https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch

1

TypeTargetConfidenceTier
WeaknessDownload of Code Without Integrity Checkcwe-4940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-3564
CVE
ConnectWise ScreenConnect Improper Authentication Vulnerability
CVE
CVE-2025-27645
CVE
CVE-2025-12556
CVE
CVE-2025-1393
CVE
CVE-2026-41225
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.