Cybersecurity Alert: Nation-State Actor Compromises ConnectWise ScreenConnect Instances
In a concerning revelation, ConnectWise, a Florida-based software company, has disclosed that a “sophisticated nation-state actor” has compromised the ScreenConnect cloud instances of a limited number of its customers. This breach raises significant alarms about the security of remote access tools widely used by managed service providers (MSPs) and IT departments.
What Happened?
ConnectWise, known for its software solutions tailored for MSPs and technology solution providers (TSPs), reported suspicious activity within its environment. The company’s popular remote support and access tool, ScreenConnect, can be hosted on ConnectWise’s cloud infrastructure or self-hosted by organizations. The compromise appears to have occurred before the deployment of a critical patch on April 24, which addressed a vulnerability identified as CVE-2025-3935.
The initial security advisory from ConnectWise was brief, and subsequent updates, including a Frequently Asked Questions (FAQ) section, provided little clarity on how the breach occurred. The company has enlisted the help of Mandiant’s forensic experts to investigate the intrusion, but details remain sparse. ConnectWise has assured customers that they will share more information as it becomes available.
Understanding CVE-2025-3935
The vulnerability in question, CVE-2025-3935, affects ScreenConnect versions 25.2.3 and earlier. It is a ViewState deserialization vulnerability that can allow attackers to inject malicious code, leading to unauthenticated remote code execution on the server.
ScreenConnect is built using ASP.NET, a web framework developed by Microsoft. ASP.NET Web Forms utilizes ViewState to maintain the state of a web page between visits. This data is encoded and stored in a hidden field on the web page. To protect against tampering, ASP.NET employs machine keys. However, if attackers gain access to these keys, they can create a malicious ViewState and execute harmful code on the server.
The success of such an attack hinges on the attackers obtaining privileged access to extract the machine keys and knowing how to exploit the deserialization flaw. ConnectWise has since released a patch (ScreenConnect 2025.4) that disables ViewState and removes any dependency on it, mitigating the risk of exploitation.
The Timeline of Events
Reports suggest that some customers experienced compromises as early as November 2024, indicating that the vulnerability was exploited before the patch was implemented. Affected customers have expressed their frustrations on platforms like Reddit, highlighting the urgency for transparency from ConnectWise regarding the breach.
Broader Implications
While the current incident is linked to a nation-state actor known for intelligence collection, it is essential to note that vulnerabilities like CVE-2025-3935 can impact any product utilizing the ASP.NET framework and ViewState. This incident is not isolated; similar vulnerabilities have been exploited in other platforms, such as Gladinet’s CentreStack and Triofox, underscoring the widespread risks associated with remote access tools.
In the past, financially motivated threat actors and government-backed attackers have exploited vulnerabilities in ScreenConnect, but ConnectWise has clarified that this latest attack is distinct from previous incidents.
Conclusion
As the investigation continues, the cybersecurity community remains on high alert. The compromise of ScreenConnect instances serves as a stark reminder of the vulnerabilities inherent in remote access tools and the persistent threat posed by sophisticated attackers. Organizations using such tools must remain vigilant, apply patches promptly, and ensure robust security measures are in place to protect against potential breaches.
For ongoing updates and insights into cybersecurity threats, consider subscribing to breaking news alerts that keep you informed about the latest breaches and vulnerabilities.