ConnectWise, the developer of remote access and support software ScreenConnect, has disclosed that it was the victim of a cyber attack, which it believes was likely carried out by a nation-state threat actor.
“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation-state actor, which affected a very small number of ScreenConnect customers,” the company announced in a brief advisory on May 28, 2025.
To investigate the breach thoroughly, the company has engaged Google Mandiant to conduct a forensic probe and has already notified all affected customers. CRN was the first to report the incident.
Despite these disclosures, ConnectWise has not specified how many customers the attack affected, when the intrusion occurred, or which threat actor carried it out.
Notably, in late April 2025, the company patched CVE-2025-3935 (CVSS score: 8.1), a high-severity vulnerability in ScreenConnect versions 25.2.3 and earlier. This flaw could have allowed attackers to perform ViewState code injection attacks using publicly disclosed ASP.NET machine keys—a method detailed by Microsoft earlier in February.
ConnectWise resolved the issue in ScreenConnect version 25.2.4. However, investigators have not yet determined whether the cyber attack connects to the exploitation of this specific vulnerability.
In response to the breach, the company has implemented enhanced monitoring and hardening measures throughout its environment to prevent similar incidents in the future.
“We have not observed any further suspicious activity in any customer instances,” it added, noting that it continues to monitor the situation closely.
Looking back, early 2024 saw similar security flaws in ConnectWise ScreenConnect software (CVE-2024-1708 and CVE-2024-1709) exploited by both cybercriminals and nation-state actors—including those from China, North Korea, and Russia—to deliver a range of malicious payloads.
Source: TheHackerNews
Read more at Impreza News
