What vulnerability was exploited in the ConnectWise attack?

The attack appears to be linked to CVE-2025-3935 (CVSS score 8.1), a ViewState code injection vulnerability affecting ScreenConnect versions 25.2.3 and earlier. The flaw is caused by unsafe deserialization of ASP.NET ViewState in ScreenConnect, allowing attackers with system-level access to execute remote code.

How did the ConnectWise ScreenConnect attack work technically?

Security researchers believe that threat actors first breached ConnectWise's systems and stole the secret machine keys used by ScreenConnect servers. Using those keys, attackers could craft malicious payloads that trigger remote code execution on the company's ScreenConnect servers and access customer environments.

Was the ConnectWise vulnerability patched before the attack?

The CVE-2025-3935 vulnerability was patched by ConnectWise on April 24, 2025, before it was publicly disclosed to customers. However, the breach occurred in August 2024, suggesting the attackers may have used other methods to initially compromise the systems before exploiting this specific vulnerability.

What was the scope of customer impact in the ConnectWise breach?

ConnectWise states that the breach affected 'a very small number of ScreenConnect customers' with cloud-hosted instances. The company has not disclosed the exact number of affected customers or the specific types of data that may have been compromised in customer environments.

What is ScreenConnect and why is it a target for cyberattacks?

ScreenConnect is a remote access and support software that allows IT professionals to remotely manage and support computers and servers. It's an attractive target for cybercriminals and nation-state actors because compromising it can provide access to numerous customer environments, making it a high-value supply chain attack vector.

Incident

Hackers breach ConnectWise ScreenConnect environment, affecting multiple cloud customers

Q: What happened in the ConnectWise ScreenConnect cyberattack?

Florida-based IT management software provider ConnectWise experienced a cyberattack that breached its infrastructure and compromised a limited number of ScreenConnect customers. The breach impacted cloud-hosted ScreenConnect instances, affecting what the company describes as 'a very small number of ScreenConnect customers.'

Q: Who is investigating the ConnectWise ScreenConnect breach?

ConnectWise has engaged Google Mandiant to conduct a forensic investigation and has coordinated with law enforcement agencies regarding the incident. This indicates the serious nature of the breach and the need for expert cybersecurity analysis.

Q: What makes this ConnectWise attack particularly concerning?

The targeting appears to have been highly selective, with only a very small number of customers impacted, suggesting the threat actor knew what they were looking for. This approach is characteristic of nation-state operations that prioritize specific intelligence targets, combined with the nine-month persistent access period.

Q: Has ScreenConnect been targeted by nation-state actors before?

Yes, ScreenConnect has a history of being targeted by advanced threat actors, particularly nation-state groups. Both China and Russia have been seen exploiting ConnectWise ScreenConnect vulnerabilities in the last two years. Previous incidents have resulted in widespread compromises affecting hundreds of institutions.

published: May 30, 2025

Take action: If you are running ConnectWise ScreenConnect, make sure to patch for CVE-2025-3935. It was already exploited to hack ConnectWise by nation-state hackers, so your own server will probably be targeted by the generic criminals now.

Learn More

Florida-based IT management software provider ConnectWise is reporting a cyberattack that breached its infrastructure and compromised a limited number of ScreenConnect customers.

The breach impacted cloud-hosted ScreenConnect instances, affecting what the company describes as "a very small number of ScreenConnect customers." The company has engaged Google Mandiant to conduct a forensic investigation and has coordinated with law enforcement agencies regarding the incident.

The attack appears to be linked to a high-severity vulnerability in ScreenConnect software:

CVE-2025-3935 (CVSS score 8.1) - A ViewState code injection vulnerability affecting ScreenConnect versions 25.2.3 and earlier

The flaw is caused by unsafe deserialization of ASP.NET ViewState in ScreenConnect. Threat actors with privileged system-level access can steal the secret machine keys used by a ScreenConnect server and utilize them to craft malicious payloads that trigger remote code execution on the server. This vulnerability was patched by ConnectWise on April 24, 2025, before it was publicly disclosed to customers.

According to sources familiar with the investigation, the breach occurred in August 2024, but ConnectWise discovered the suspicious activity in May 2025. This means that the attackers maintained persistent access to ConnectWise's systems for approximately nine months.

The targeting appears to have been highly selective. Only a very small number of customers were impacted so the threat actor knew what they were looking for. This approach is characteristic of nation-state operations that prioritize specific intelligence targets.

Security researchers believe that threat actors first breached ConnectWise's systems and stole the machine keys. Using those keys, attackers could conduct remote code execution on the company's ScreenConnect servers and access customer environments.

ScreenConnect has a history of being targeted by advanced threat actors, particularly nation-state groups. Both China and Russia have been seen exploiting ConnectWise ScreenConnect vulnerabilities in the last two years. Previous incidents involving ScreenConnect vulnerabilities have resulted in widespread compromises, with researchers from Google saying in February that a hacker affiliated with China's Ministry of State Security exploited CVE-2024-1709 in ConnectWise ScreenConnect "to compromise hundreds of institutions primarily in the U.S. and Canada."

Hackers breach ConnectWise ScreenConnect environment, affecting multiple cloud customers

Read More
Casio reports data breach with global impact on …
Lower Merion School District BoardDocs system leaks sensitive …
Rackspace reports data breach exposing customer data
Identity management firm Okta support system hacked, exposing …
Hackers get into University of California Irvine Discord, …