**Nation-State Hack Hits ConnectWise Customers: A Supply-Chain Attack with Devastating Consequences**

In a shocking revelation, ConnectWise has disclosed that its IT management software environment was breached by a "sophisticated nation-state actor" in November 2024. The vendor, which provides remote access and management tools to multiple major brands, including Panasonic, Swarovski, Aflac, and Honeywell, has brought in top forensic experts to investigate the security breach.

The breach, which was discovered earlier this month, affected a "very small number" of ConnectWise customers who use ScreenConnect, a remote access and management tool. The advisory, issued on May 28, warned that the compromise could have serious consequences for businesses, particularly those in high-risk industries such as manufacturing and healthcare.

Multiple sources close to the investigation confirm that the breach was carried out through a supply-chain attack, where an attacker compromised a third-party vendor or supplier to gain initial access to ConnectWise's systems. The intruders then breached some of these customers' instances, using their credentials to gain unauthorized access.

But what did the attackers do with this sensitive information? According to sources, the attackers deployed ransomware and stole data from affected customers. "This is a nation-state attack that could have serious consequences for businesses," said one expert, who wished to remain anonymous. "The attacker's goal was not just to steal data, but to use it as leverage or sell it on the dark web."

ConnectWise has since taken steps to boost monitoring and harden security across its environment. However, experts warn that the vulnerability exploited by the attackers could have been mitigated with better patch management.

In April, ConnectWise disclosed and patched CVE-2025-3935, a critical bug in ScreenConnect versions prior to 25.2.4. This bug, which affects ASP.NET's ViewState, could allow remote code execution if an attacker gains privileged access to extract machine keys. Penetration tester Hasan Adib Ara, who warned of the vulnerability earlier this month, said that it "terrifies" him.

"The deserialization flaw in ASP.NET's ViewState is a nightmare," Ara wrote on LinkedIn. "If an attacker can exploit this bug, they could gain access to critical industrial systems, including production line controls, SCADA systems, and sensitive operational technology networks."

In fact, Chinese spies have previously exploited similar security holes in ScreenConnect to compromise hundreds of entities in the US and Canada. Other miscreants have used these vulnerabilities to deploy LockBit ransomware.

As the investigation continues, experts urge businesses to take immediate action to protect themselves from supply-chain attacks. "This is not just a ConnectWise issue," said Ara. "It's a reminder that we need to be vigilant about patching and securing our software applications."

**The Fallout: What You Need to Know**

* ConnectWise has brought in Mandiant, a leading forensic expert, to investigate the security breach. * The breach affected a "very small number" of customers who use ScreenConnect. * The attackers deployed ransomware and stole data from affected customers. * ConnectWise has taken steps to boost monitoring and harden security across its environment. * CVE-2025-3935, a critical bug in ScreenConnect versions prior to 25.2.4, was disclosed and patched in April.

**Stay Safe: What You Can Do**

* Make sure your software is up-to-date and patched. * Use strong passwords and enable two-factor authentication. * Be cautious when clicking on links or downloading attachments from unknown sources. * Monitor your systems for suspicious activity. * Report any security incidents to the relevant authorities.