ConnectWise Breached in Cyberattack Linked to Nation-State Hackers
IT management software firm ConnectWise has confirmed that a suspected state-sponsored cyberattack breached its environment, impacting a limited number of ScreenConnect customers. The company stated that it believes the breach was tied to a sophisticated nation-state actor and affected a very small number of ScreenConnect customers.
ConnectWise is a Florida-based software company that provides IT management, RMM (remote monitoring and management), cybersecurity, and automation solutions for managed service providers (MSPs) and IT departments. One of its products is ScreenConnect, a remote access and support tool that allows technicians to securely connect to client systems for troubleshooting, patching, and system maintenance.
The breach was discovered in May 2025, with suspicious activity detected in August 2024. However, ConnectWise did not provide exact dates or confirm whether any malicious activity was observed in customers' ScreenConnect instances. A source told BleepingComputer that the breach only impacted cloud-based ScreenConnect instances.
A vulnerability tracked as CVE-2025-3935, a high-severity ViewState code injection bug, is believed to be the entry point for the attack. The flaw allows threat actors with privileged system-level access to steal secret machine keys used by a ScreenConnect server and utilize them to craft malicious payloads that trigger remote code execution on the server.
Threat actors may have exploited this vulnerability to conduct targeted attacks against specific organizations, leaving only a small number of customers impacted. ConnectWise has implemented enhanced monitoring and hardened its security across its network, and no further suspicious activity has been observed in customer instances.
The Breach: What We Know
While ConnectWise did not provide detailed information about the breach, it is clear that a sophisticated nation-state actor was involved. The company stated that it contacted all affected customers and is coordinating with law enforcement.
A source told BleepingComputer that the breach dates back to August 2024, with ConnectWise discovering suspicious activity in May 2025. However, the exact dates cannot be confirmed.
The Vulnerability: What You Need to Know
The CVE-2025-3935 vulnerability is a high-severity ViewState code injection bug caused by unsafe deserialization of ASP.NET ViewState in ScreenConnect versions 25.2.3 and earlier.
Threat actors with privileged system-level access can steal the secret machine keys used by a ScreenConnect server and utilize them to craft malicious payloads that trigger remote code execution on the server.
The Impact: What You Can Expect
Customers who spoke to BleepingComputer expressed frustration with the lack of indicators of compromise (IOCs) and information shared by ConnectWise, leaving them with little information on what happened.
ConnectWise has implemented enhanced monitoring and hardened its security across its network, but it is unclear whether this will prevent future breaches. The company also stated that it has not seen any further suspicious activity in customer instances.
The Takeaway: Protecting Your Business
This breach highlights the importance of regular software updates and patching. ConnectWise's implementation of enhanced monitoring and hardened security measures may have prevented the breach, but it is essential for businesses to stay vigilant and prioritize cybersecurity.