ConnectWise Suffers Cybersecurity Breach Attributed to Nation-State Hacking Group

ConnectWise, an IT management software provider, has reported a breach linked to a sophisticated cyberattack believed to be state-sponsored. The breach specifically targeted a limited number of customers using the ScreenConnect service.

In an advisory statement, ConnectWise acknowledged discovering suspicious activities within its environment. The company has initiated an investigation, collaborating with Mandiant, a leading forensic expert, and is working alongside law enforcement agencies to address the incident.

Based in Florida, ConnectWise offers IT management, remote monitoring and management (RMM), cybersecurity, and automation solutions designed for managed service providers (MSPs) and IT departments. Among its product offerings is ScreenConnect, which enables secure remote access and support for client systems.

As reported by CRN, ConnectWise has since enhanced its network monitoring and fortified security measures. The company has indicated that there have been no further incidents of suspicious activity detected within customer accounts.

While ConnectWise has not disclosed the specific number of impacted customers, the timeline gathered from sources suggests that the breach occurred in August 2024, with the suspicious activities being detected in May 2025. Reports indicate that only cloud-based instances of ScreenConnect were affected. However, independent confirmation of these dates has not been achieved.

Industry professionals, such as Jason Slagle, President of managed service provider CNWR, noted that only a small fraction of customers appeared to be affected, indicating that the attack was likely targeted at specific organizations rather than a broader assault.

Discussions among affected customers in forums have indicated that the incident is associated with a ScreenConnect vulnerability identified as CVE-2025-3935, which was patched on April 24. This vulnerability presents a high-severity risk related to ViewState code injection, resulting from unsafe deserialization of ASP.NET ViewState in versions 25.2.3 and earlier of ScreenConnect.

Exploiting this vulnerability would grant threat actors with system-level access the ability to extract sensitive machine keys used by ScreenConnect servers, potentially allowing for the execution of malicious code on those servers.

Although ConnectWise has not confirmed that this specific vulnerability was exploited in the current incident, its classification as “High” priority underscores its elevated risk of exploitation. The company stated that remediation measures had already been implemented on its cloud-hosted platforms prior to public disclosure.

Given that only cloud-hosted ScreenConnect instances were compromised, it is plausible that the attackers initially infiltrated ConnectWise’s systems, thereby obtaining the machine keys necessary for unauthorized access and execution of commands on the affected servers. Nevertheless, this has yet to be confirmed by ConnectWise.

Customers have expressed concerns regarding the limited communication from ConnectWise, particularly the absence of indicators of compromise (IOCs) and detailed incident reports, which leaves many without critical information about the breach.

This incident follows previous vulnerabilities within ScreenConnect, such as CVE-2024-1709, which had been actively exploited by ransomware groups and a suspected North Korean advanced persistent threat (APT) group.

Further inquiries directed to ConnectWise have yet to yield a response.