ConnectWise, a leading provider of IT management software, has confirmed a targeted cyberattack on its ScreenConnect remote access platform, suspected to be the work of a sophisticated nation-state actor.
The breach, disclosed in an advisory on May 28, 2025, affected a small number of ScreenConnect customers, primarily those using cloud-based instances.
The company has enlisted Google Mandiant to conduct a forensic investigation and has notified all impacted customers, though it has not revealed the exact number of affected users, the timing of the breach, or the identity of the threat actor.
This incident highlights the growing vulnerability of remote access tools to advanced cyberattacks, especially those targeting managed service providers (MSPs).
ALSO READ | Stealth AyySSHush Botnet Compromises 9,000 Asus Routers with Unremovable SSH Backdoor
A History of Vulnerabilities in ScreenConnect
The attack comes shortly after ConnectWise patched a high-severity vulnerability, CVE-2025-3935, on April 24, 2025. This flaw, which has a CVSS score of 8.1, affected ScreenConnect versions 25.2.3 and earlier, allowing attackers with special access to run harmful code remotely by using ViewState code injection and taking advantage of publicly known ASP.NET machine keys, a method that Microsoft pointed out in February 2025.
While it remains unclear if this specific vulnerability was exploited in the recent breach, sources indicate the attack, which began in August 2024 and was discovered this month, targeted cloud-based ScreenConnect instances.
ConnectWise has a history of security challenges, with earlier flaws like CVE-2024-1708 and CVE-2024-1709 being exploited in 2024 by nation-state actors from China, North Korea, and Russia, as well as ransomware gangs, to deploy malicious payloads.
Did You Know?
ScreenConnect, widely used by MSPs, has been a frequent target for cyberattacks, with vulnerabilities like CVE-2024-1709 exploited by Chinese state-backed hackers to compromise U.S. defense contractors in 2024.
Response and Ongoing Concerns
ConnectWise swiftly responded by implementing enhanced monitoring and security hardening measures throughout its environment.
Since applying the patch, the company reports no further suspicious activity in customer instances, and it continues to closely monitor the situation.
However, the breach underscores the risks faced by MSPs, who often use ScreenConnect to manage client systems, making them prime targets for attackers seeking to access broader networks.
Recent data reveals that over 8,200 ScreenConnect servers were publicly accessible in 2024, with many remaining unpatched, according to the Shadowserver Foundation.
This has raised concern among users; some emphasize the need for better transparency, while others note the persistent targeting of remote access tools by nation-state actors.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!