![\"software](\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2025\/05\/29\/connectwise-logo.jpg\"){kind=logo}
<\/p>\n
IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customers.<\/p>\n
“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,” ConnectWise shared in a brief advisory.<\/p>\n
“We have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all affected customers and are coordinating with law enforcement.”<\/p>\n
ConnectWise is a Florida-based software company that provides IT management, RMM (remote monitoring and management), cybersecurity, and automation solutions for managed service providers (MSPs) and IT departments.<\/p>\n
One of its products is ScreenConnect, a remote access and support tool that allows technicians to securely connect to client systems for troubleshooting, patching, and system maintenance.<\/p>\n
As first reported by CRN, the company now says it has implemented enhanced monitoring and hardened the security across its network.<\/p>\n
They also state that they have not seen any further suspicious activity in customer instances.<\/p>\n
ConnectWise did not answer BleepingComputer’s questions about how many customers were impacted, when the breach occurred, or whether any malicious activity was observed in customers’ ScreenConnect instances.<\/p>\n
However, a source told BleepingComputer that the breach occurred in August 2024, with ConnectWise discovering the supicious activity in May 2025, and that it only impacted cloud-based ScreenConnect instances. BleepingComputer has not been able to independently confirm the breach dates.<\/p>\n
Jason Slagle, President of managed service provider CNWR, told BleepingComputer that only a very small number of customers were impacted, suggesting the threat actor carried out a targeted attack against specific organizations.<\/p>\n
In a Reddit thread,\u00a0customers shared further details, stating the incident is linked to a ScreenConnect vulnerability tracked as\u00a0CVE-2025-3935, patched on April 24.<\/p>\n
The CVE-2025-3935 flaw is a high-severity ViewState code injection bug caused by unsafe deserialization of ASP.NET ViewState in ScreenConnect versions 25.2.3 and earlier.<\/p>\n
Threat actors with privileged system-level access can steal the secret machine keys used by a ScreenConnect server and utilize them to craft malicious payloads that trigger remote code execution on the server.<\/p>\n
While ConnectWise did not state that this vulnerability was exploited at the time, it was marked as “High” priority, indicating it was either actively exploited or carried a significant risk of exploitation.<\/p>\n
The company also stated that the flaw was patched on its cloud-hosted ScreenConnect platforms at “screenconnect.com” and “hostedrmm.com” before it was publicly disclosed to customers.<\/p>\n
As the breach only impacted cloud-hosted ScreenConnect instances, it’s possible that threat actors first breached ConnectWise’s systems and stole the machine keys.<\/p>\n
Using those keys, attackers could conduct remote code execution on the company’s ScreenConnect servers and potentially access customer environments.<\/p>\n
However, it should be noted that ConnectWise has not confirmed whether this was how customer’s instances were breached.<\/p>\n
Customers who spoke to BleepingComputer are frustrated by the lack of indicators of compromise (IOCs) and information shared by ConnectWise, leaving them with little information on what happened.<\/p>\n
Last year, a ScreenConnect flaw tracked as CVE-2024-1709 was exploited by ransomware gangs and a North Korean APT hacking group\u00a0to run malware.<\/p>\n
BleepingComputer sent additional questions to ConnectWise but has not heard back at this time.<\/p>\n
\n ![\"software](\"https:\/\/www.bleepstatic.com\/c\/p\/picus\/red-report-in-article.jpg\")
<\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
Software IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of<\/p>\n","protected":false},"author":7282,"featured_media":11110,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11109","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software"],"_links":{"self":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/11109","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/users\/7282"}],"replies":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/comments?post=11109"}],"version-history":[{"count":0,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/11109\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media\/11110"}],"wp:attachment":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media?parent=11109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/categories?post=11109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/tags?post=11109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}