ConnectWise Faces Nation-State Cyberattack on ScreenConnect: What’s at Risk?

Tampa, Florida, May 30, 2025 - ConnectWise, a leading provider of IT management software, has confirmed a targeted cyberattack on its ScreenConnect remote access platform, suspected to be the work of a sophisticated nation-state actor. The breach, disclosed in an advisory on May 28, 2025, affected a small number of ScreenConnect customers, primarily those using cloud-based instances.

The company has enlisted Google Mandiant to conduct a forensic investigation and has notified all impacted customers, though it has not revealed the exact number of affected users, the timing of the breach, or the identity of the threat actor. This incident highlights the growing vulnerability of remote access tools to advanced cyberattacks, especially those targeting managed service providers (MSPs).

ALSO READ | Stealth AyySSHush Botnet Compromises 9,000 Asus Routers with Unremovable SSH Backdoor

A History of Vulnerabilities in ScreenConnect

The attack comes shortly after ConnectWise patched a high-severity vulnerability, CVE-2025-3935, on April 24, 2025. This flaw, with a CVSS score of 8.1, affected ScreenConnect versions 25.2.3 and earlier, allowing attackers with privileged access to execute remote code through ViewState code injection by exploiting publicly disclosed ASP.NET machine keys, a method Microsoft highlighted in February 2025.

While it remains unclear if this specific vulnerability was exploited in the recent breach, sources indicate the attack, which began in August 2024 and was discovered this month, targeted cloud-based ScreenConnect instances. ConnectWise has a history of security challenges, with earlier flaws like CVE-2024-1708 and CVE-2024-1709 being exploited in 2024 by nation-state actors from China, North Korea, and Russia, as well as ransomware gangs, to deploy malicious payloads.

Did You Know?
ScreenConnect, widely used by MSPs, has been a frequent target for cyberattacks, with vulnerabilities like CVE-2024-1709 exploited by Chinese state-backed hackers to compromise U.S. defense contractors in 2024.

Response and Ongoing Concerns

ConnectWise has taken swift action, implementing enhanced monitoring and security hardening measures across its environment. The company reports no further suspicious activity in customer instances since the patch was applied, and it continues to monitor the situation closely. However, the breach underscores the risks faced by MSPs, who often use ScreenConnect to manage client systems, making them prime targets for attackers seeking to access broader networks.

Recent data reveals that over 8,200 ScreenConnect servers were publicly accessible in 2024, with many remaining unpatched, according to the Shadowserver Foundation. Posts on X reflect concern among users, with some emphasizing the need for better transparency and others noting the persistent targeting of remote access tools by nation-state actors.