In May 2025, ConnectWise, a prominent IT management software provider, disclosed a sophisticated cyberattack attributed to a nation-state actor. The breach targeted a limited number of customers using its remote access tool, ScreenConnect. The company has since engaged Google Mandiant for a comprehensive forensic investigation and has implemented enhanced security measures across its infrastructure.

Incident Overview

ConnectWise reported detecting suspicious activity within its environment, believed to be linked to a nation-state threat actor. The intrusion affected a small subset of ScreenConnect customers. While the exact number of impacted clients remains undisclosed, the company has notified all affected parties and is collaborating with law enforcement agencies.

The breach is suspected to have exploited a high-severity vulnerability in ScreenConnect, identified as CVE-2025-3935. This flaw, present in versions 25.2.3 and earlier, allows for ViewState code injection attacks due to unsafe deserialization in the ASP.NET framework. ConnectWise addressed this vulnerability in version 25.2.4, released in April 2025.

Technical Details

• Vulnerability Exploited: CVE-2025-3935 (CVSS score: 8.1)

• Affected Software: ScreenConnect versions 25.2.3 and earlier

• Attack Vector: ViewState code injection via unsafe deserialization in ASP.NET

• Potential Impact: Remote code execution on vulnerable servers

Security researchers suggest that attackers may have obtained machine keys from compromised ScreenConnect servers, enabling them to craft malicious payloads and execute arbitrary code. This method could grant unauthorized access to customer environments.

Response and Mitigation

Upon discovering the breach, ConnectWise took immediate action:

• Engaged Mandiant: To conduct a thorough forensic investigation.

• Notified Affected Customers: Ensuring transparency and prompt communication.

• Enhanced Security Measures: Implemented improved monitoring and hardened security protocols across its systems.

• Patched Vulnerability: Released ScreenConnect version 25.2.4 to address CVE-2025-3935.

As of the latest update, ConnectWise reports no further suspicious activity in customer instances.

Industry Implications

This incident underscores the growing trend of nation-state actors targeting managed service providers (MSPs) to gain access to a broader range of victims. By compromising tools like ScreenConnect, attackers can infiltrate multiple organizations through a single point of entry. Experts warn that such supply chain attacks can have far-reaching consequences, emphasizing the need for robust security practices among MSPs and their clients.

Recommendations for Organizations

In light of this breach, organizations are advised to:

1. Update Software: Ensure all instances of ScreenConnect are updated to the latest version (25.2.4 or newer).

2. Review Access Controls: Audit and restrict access to critical systems and data.

3. Monitor Systems: Implement continuous monitoring for unusual activity or unauthorized access attempts.

4. Engage in Threat Intelligence Sharing: Collaborate with industry peers and cybersecurity communities to stay informed about emerging threats.

Conclusion

The ConnectWise cyberattack highlights the persistent threats posed by nation-state actors and the importance of proactive cybersecurity measures. Organizations must remain vigilant, regularly update their systems, and foster a culture of security awareness to mitigate the risks associated with such sophisticated attacks.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.