CVE-2026-3564 (CVSS 9.5) allows unauthenticated attackers to extract ASP.NET machine keys from unpatched ScreenConnect on-premises deployments and forge authenticated sessions, bypassing credentials entirely; CVE-2025-3935 documents a prior related key-management weakness in the same product line, indicating a pattern of recurring exposure. Cloud instances were auto-updated to version 26.1, but all on-premises deployments require manual patching, and MSPs managing multiple client environments face compounded risk of cross-client lateral movement if any instance is exploited. Immediate patching to version 26.1 or later is required; instances that cannot be patched within 24 hours must be isolated from untrusted networks.