ConnectWise has disclosed a significant cyber attack. The company develops ScreenConnect remote access software. They believe a nation-state actor was likely responsible. This sophisticated actor targeted their internal environment. A very small number of ScreenConnect customers were affected. ConnectWise made this announcement on May 28, 2025. They have engaged Google Mandiant to investigate. All affected customers have been duly notified by them. CRN was the first to report this security incident. However, specific details about the attack remain undisclosed. The exact number of impacted users is unknown.
ConnectWise patched a severe vulnerability in late April 2025. This vulnerability was tracked as CVE-2025-3935. It had a high CVSS score of 8.1. It affected ScreenConnect versions 25.2.3 and earlier. The flaw allowed for ViewState code injection attacks. Attackers could use publicly disclosed ASP.NET machine keys. Microsoft had revealed this attack technique in February. ScreenConnect version 25.2.4 addressed this specific issue. It is currently unknown if this recent cyber attack. It is unclear if it exploited this particular vulnerability. Further investigation may establish any direct links.
In response, the company has taken several remedial actions. ConnectWise implemented enhanced monitoring across its systems. They also applied significant hardening measures. These were applied throughout their entire environment. These proactive steps aim to prevent future similar attacks. ConnectWise stated they observed no further suspicious activity. This assurance applies to all of their customer instances. The company is now closely monitoring the situation. They are actively working to ensure platform security. This continuous monitoring is an ongoing crucial effort. It aims to protect all users.
This is not the first ScreenConnect security incident. In early 2024, other software flaws were exploited. These vulnerabilities were CVE-2024-1708 and CVE-2024-1709. Both cybercrime groups and nation-state actors exploited them. Threat actors from China were reportedly involved then. North Korean and Russian state actors also participated. They successfully delivered a variety of malicious payloads. This past history shows ScreenConnect is a known target. Sophisticated threat actors often target such widely used software. This context adds weight to the current nation-state claim. The platform requires robust, continuous security attention.
Reference:
