RMM
ConnectWise
ConnectWise confirms nation-state cyberattack exploiting ScreenConnect flaw (CVE...
**TAMPA, FL – May 31, 2025** – ConnectWise, a leading provider of IT management software for Managed Service Providers (MSPs) and IT departments, has disclosed a significant cybersecurity incident involving a suspected nation-state actor. The breach impacted a limited number of customers using its cloud-hosted ScreenConnect remote access solution, raising concerns within the MSP community reliant on the platform.
In a brief advisory issued this week, ConnectWise stated: *"ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers."* The company emphasized the targeted nature of the attack, suggesting only a select group of clients were compromised.
**Forensics, Law Enforcement Engaged Amidst Limited Details**
ConnectWise confirmed it has launched a comprehensive investigation, enlisting the expertise of premier cybersecurity forensics firm Mandiant. The company also stated it is coordinating with law enforcement agencies and has directly contacted all affected customers. However, critical details remain scarce.
ConnectWise declined to answer inquiries from BleepingComputer regarding the exact number of impacted customers, the specific timeframe of the breach, or whether any malicious activity was observed within the compromised ScreenConnect customer instances themselves.
**Source Points to 2024 Breach, Cloud Instances Targeted**
According to a source familiar with the incident who spoke to BleepingComputer, the initial breach occurred as far back as **August 2024**, with ConnectWise discovering the suspicious activity only in **May 2025**. The source further indicated that **only cloud-based ScreenConnect instances** were impacted. BleepingComputer notes it has not been able to independently verify these dates. ConnectWise has not publicly commented on this timeline.
**Link to Patched ScreenConnect Vulnerability Emerges**
While ConnectWise's advisory did not specify the initial attack vector, details emerging from customer discussions on Reddit and technical analysis point strongly to the exploitation of a high-severity vulnerability in ScreenConnect, tracked as **CVE-2025-3935**. This flaw, patched by ConnectWise on **April 24, 2025**, was a ViewState code injection vulnerability caused by unsafe deserialization within the ASP.NET framework, affecting ScreenConnect versions 25.2.3 and earlier.
The vulnerability, rated "High" priority by ConnectWise (indicating either active exploitation or high risk), allowed threat actors with privileged system-level access to steal secret machine keys. These keys could then be weaponized to craft malicious payloads enabling **remote code execution (RCE)** on the vulnerable ScreenConnect server.
**Cloud Focus Suggests Potential Attack Path**
Given ConnectWise's confirmation that only cloud-hosted ScreenConnect instances (served via `screenconnect.com` and `hostedrmm.com`) were affected, cybersecurity experts theorize a likely attack sequence:
1. **Initial Compromise:** Threat actors breached ConnectWise's own internal corporate network (the "environment" referenced).
2. **Key Theft:** Attackers stole the secret machine keys used to secure ScreenConnect cloud servers.
3. **Server Compromise:** Using the stolen keys, attackers could bypass security and execute remote code on ConnectWise's ScreenConnect cloud infrastructure.
4. **Customer Impact:** This server-level access potentially allowed attackers to pivot into the environments of the targeted customers using those specific cloud instances.
*Crucially, ConnectWise has not confirmed this specific attack path or whether customer environments were actually accessed via the compromised servers.*
**Frustration Mounts Over Lack of Specifics**
Despite ConnectWise's outreach to affected customers, several MSPs have expressed significant frustration on forums like Reddit over the lack of detailed **Indicators of Compromise (IOCs)** and specific technical information about what occurred within their instances. This lack of transparency hinders their ability to conduct thorough internal investigations and assure their own clients.
**ScreenConnect: A Repeated Target**
This incident marks the second major security event involving ScreenConnect in recent years. In February 2024, a critical vulnerability (**CVE-2024-1709**) was widely exploited by ransomware gangs and a North Korean state-sponsored hacking group (APT), leading to numerous compromises before a patch was deployed. This history underscores the attractiveness of remote access tools to advanced threat actors.
**ConnectWise's Response and Recommendations**
ConnectWise states it has implemented "enhanced monitoring" and "hardened security" across its network. They also report seeing "no further suspicious activity in customer instances" since containment measures were enacted. The company had patched the CVE-2025-3935 vulnerability on its cloud platforms *before* publicly disclosing it to customers.
**Advice for ScreenConnect Users (Especially Cloud):**
1. **Verify Patch Status:** Ensure *all* ScreenConnect instances (cloud or self-hosted) are updated to a version **later than 25.2.3**, specifically patching CVE-2025-3935. ConnectWise manages cloud instances, but confirmation of patching is prudent.
2. **Scrutinize Communications:** Affected cloud customers should closely review all communications from ConnectWise and follow any specific guidance provided.
3. **Enhanced Monitoring:** All ScreenConnect users, particularly those on cloud, should implement heightened monitoring for unusual remote access activity, privilege escalations, or unexpected processes on endpoints managed via ScreenConnect.
4. **Review Access Logs:** Conduct thorough audits of ScreenConnect access logs for the period potentially dating back to August 2024 (if the source timeline is accurate), looking for anomalies.
5. **Assume Potential Compromise (Impacted Customers):** Affected organizations should initiate incident response procedures, including credential rotations, system scans, and investigations for potential lateral movement.
The investigation involving Mandiant and law enforcement is ongoing. ConnectWise has promised to provide updates as more information becomes available and can be shared. This incident highlights the persistent threat faced by IT management platforms and the critical importance of rapid patching and robust supply chain security for MSPs and their clients.
