Nation-State Hackers Breach ConnectWise ScreenConnect in Sophisticated Cyber Operation

ConnectWise, the company behind remote access solution ScreenConnect, has revealed it fell victim to an advanced cyberattack attributed to state-sponsored threat actors.

  Vulnerability Alerts   May 30, 2025  Add to Reading List
Nation-State Hackers Breach ConnectWise ScreenConnect in Sophisticated Cyber Operation

ConnectWise, the company behind remote access solution ScreenConnect, has revealed it fell victim to an advanced cyberattack attributed to state-sponsored threat actors.

The security incident affected a limited number of ScreenConnect users, according to ConnectWise's May 28, 2025, security alert. "ConnectWise recently discovered suspicious activity within our infrastructure that we believe was linked to an advanced nation-state threat group, impacting a very small subset of ScreenConnect clients," the firm stated in its brief security notice.

The organization has enlisted Google Mandiant's expertise to perform a comprehensive digital forensics investigation and has informed all compromised customers. CRN first broke the story of this security breach.

ConnectWise has not disclosed specific details, including the total count of affected clients, the timeline of the attack, or which nation-state group was responsible for the intrusion.

Notably, ConnectWise addressed CVE-2025-3935 in late April 2025 - a critical security flaw with an 8.1 CVSS rating affecting ScreenConnect versions 25.2.3 and older. This vulnerability enabled ViewState code injection exploits through publicly available ASP.NET machine keys, a method Microsoft had previously revealed in February.

ScreenConnect version 25.2.4 resolved this security issue. However, investigators have not yet determined whether this recent cyberattack exploited the patched vulnerability.

The company has deployed additional security monitoring and system hardening protocols throughout its infrastructure to mitigate future attack attempts.

"We have detected no additional suspicious behavior in any client environments," ConnectWise noted, emphasizing its ongoing surveillance of the situation.

Previously, in early 2024, security vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1708 and CVE-2024-1709) were actively exploited by criminal hackers and state-backed groups from China, North Korea, and Russia to install various types of malicious software.