ConnectWise confirms nation-state cyberattack exploiting ScreenConnect flaw (CVE-2025-3935). Limited cloud customers impacted. Patch now!

Continue reading
TAMPA, FL – May 31, 2025 – ConnectWise, a leading provider of IT management software for Managed Service Providers (MSPs) and IT departments, has disclosed a significant cybersecurity incident involving a suspected nation-state actor. The breach impacted a limited number of customers using its cloud-hosted ScreenConnect remote access solution, raising concerns within the MSP community reliant on the platform.
In a brief advisory issued this week, ConnectWise stated: "ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers." The company emphasized the targeted nature of the attack, suggesting only a select group of clients were compromised.
Forensics, Law Enforcement Engaged Amidst Limited Details
ConnectWise confirmed it has launched a comprehensive investigation, enlisting the expertise of premier cybersecurity forensics firm Mandiant. The company also stated it is coordinating with law enforcement agencies and has directly contacted all affected customers. However, critical details remain scarce.
ConnectWise declined to answer inquiries from BleepingComputer regarding the exact number of impacted customers, the specific timeframe of the breach, or whether any malicious activity was observed within the compromised ScreenConnect customer instances themselves.
Source Points to 2024 Breach, Cloud Instances Targeted
According to a source familiar with the incident who spoke to BleepingComputer, the initial breach occurred as far back as August 2024, with ConnectWise discovering the suspicious activity only in May 2025. The source further indicated that only cloud-based ScreenConnect instances were impacted. BleepingComputer notes it has not been able to independently verify these dates. ConnectWise has not publicly commented on this timeline.
Link to Patched ScreenConnect Vulnerability Emerges
While ConnectWise's advisory did not specify the initial attack vector, details emerging from customer discussions on Reddit and technical analysis point strongly to the exploitation of a high-severity vulnerability in ScreenConnect, tracked as CVE-2025-3935. This flaw, patched by ConnectWise on April 24, 2025, was a ViewState code injection vulnerability caused by unsafe deserialization within the ASP.NET framework, affecting ScreenConnect versions 25.2.3 and earlier.
The vulnerability, rated "High" priority by ConnectWise (indicating either active exploitation or high risk), allowed threat actors with privileged system-level access to steal secret machine keys. These keys could then be weaponized to craft malicious payloads enabling remote code execution (RCE) on the vulnerable ScreenConnect server.
Cloud Focus Suggests Potential Attack Path
Given ConnectWise's confirmation that only cloud-hosted ScreenConnect instances (served via `screenconnect.com` and `hostedrmm.com`) were affected, cybersecurity experts theorize a likely attack sequence:
Crucially, ConnectWise has not confirmed this specific attack path or whether customer environments were actually accessed via the compromised servers.
Frustration Mounts Over Lack of Specifics
Despite ConnectWise's outreach to affected customers, several MSPs have expressed significant frustration on forums like Reddit over the lack of detailed Indicators of Compromise (IOCs) and specific technical information about what occurred within their instances. This lack of transparency hinders their ability to conduct thorough internal investigations and assure their own clients.
ScreenConnect: A Repeated Target
This incident marks the second major security event involving ScreenConnect in recent years. In February 2024, a critical vulnerability (CVE-2024-1709) was widely exploited by ransomware gangs and a North Korean state-sponsored hacking group (APT), leading to numerous compromises before a patch was deployed. This history underscores the attractiveness of remote access tools to advanced threat actors.
ConnectWise's Response and Recommendations
ConnectWise states it has implemented "enhanced monitoring" and "hardened security" across its network. They also report seeing "no further suspicious activity in customer instances" since containment measures were enacted. The company had patched the CVE-2025-3935 vulnerability on its cloud platforms before publicly disclosing it to customers.
Advice for ScreenConnect Users (Especially Cloud):
The investigation involving Mandiant and law enforcement is ongoing. ConnectWise has promised to provide updates as more information becomes available and can be shared. This incident highlights the persistent threat faced by IT management platforms and the critical importance of rapid patching and robust supply chain security for MSPs and their clients.

DHS confirms a breach of its HSIN intelligence-sharing network during World Cup security operations; a senator warns of national security risk