ConnectWise has confirmed a breach affecting its remote access tool, with early signs pointing to a sophisticated state-sponsored threat actor.
What happened
ConnectWise, a Florida-based IT management software company, disclosed a cyberattack believed to be the work of a nation-state actor. The breach affected a limited number of customers using ScreenConnect, the company's remote access and support platform. ConnectWise launched an investigation with cybersecurity firm Mandiant and notified all affected customers while working with law enforcement.
The company did not confirm the breach timeline, scope of impact, or specific activities observed in customer environments. However, a source told BleepingComputer that the breach dates back to August 2024 and was only discovered in May 2025.
Going deeper
ScreenConnect is used by IT departments and managed service providers to remotely access and manage client systems. The vulnerability potentially linked to this breach, CVE-2025-3935 is a high-severity ViewState deserialization bug in older versions of ScreenConnect (25.2.3 and earlier). If exploited, attackers with system-level access could steal secret machine keys, enabling remote code execution on customer servers.
Although ConnectWise patched the flaw on its cloud-hosted ScreenConnect platforms (“screenconnect.com” and “hostedrmm.com”) before public disclosure, it's possible that attackers exploited the vulnerability beforehand. The exact method of intrusion remains unconfirmed by the company.
Some customers have expressed frustration over the lack of shared indicators of compromise (IOCs) and limited communication following the incident. The company has not disclosed the number of affected customers but insists that the breach involved only a small, targeted subset of its user base.
What was said
In its advisory, ConnectWise stated, “We believe [the incident] was tied to a sophisticated nation state actor… We have contacted all affected customers and are coordinating with law enforcement.”
Jason Slagle, President of MSP firm CNWR, supported the claim of a limited impact, suggesting that only a select group of organizations were targeted.
The big picture
The breach involving ConnectWise reflects the risk tied to remote access platforms, which often serve as gateways into enterprise systems. Compromise of these tools can lead to unauthorized access to sensitive environments, especially when a cloud environment is centrally managed by a third-party provider. In this case, delays in detection and limited public communication have drawn criticism, pointing to the need for faster incident response, clearer disclosure practices, and stronger vulnerability management in tools supporting infrastructure.
FAQs
What is ASP.NET ViewState, and why is unsafe deserialization a risk?
ViewState stores user session data on ASP.NET web pages. If not properly secured, it can allow attackers to inject malicious objects that the system unwittingly executes, leading to code execution vulnerabilities.
What are indicators of compromise (IOCs), and why are they important?
IOCs are technical clues (like IP addresses, file hashes, or unusual behavior patterns) that help organizations detect and respond to intrusions. Without IOCs, customers struggle to verify if they’ve been affected.
What responsibilities do vendors have when vulnerabilities affect cloud-hosted instances?
Vendors are expected to patch vulnerabilities quickly, monitor for signs of exploitation, and proactively inform customers when their environments may be at risk.
What is the significance of labeling a CVE as “High” priority?
This usually means the flaw is either actively being exploited or has a high likelihood of exploitation, prompting urgent attention and faster patch deployment.
Can remote code execution using stolen machine keys affect customer data security?
Yes. If attackers gain remote control of ScreenConnect servers via stolen keys, they may access or manipulate connected systems, posing serious risks to client data and operations.
Farah Amod
