ConnectWise Investigates Cyber Attack on ScreenConnect

Date: May 30, 2025
Author: Ravie Lakshmanan
Tags: Vulnerability, Data Breach

Overview of the Incident

ConnectWise, known for its remote access and support software, ScreenConnect, recently reported a significant cyber attack believed to be orchestrated by a nation-state actor. This disclosure was made on May 28, 2025, highlighting the growing trend of sophisticated attacks targeting critical software providers.

Discovery of Suspicious Activity

In its advisory, ConnectWise stated that it became aware of unusual activity within its environment. The company emphasized that this incident only affected a small number of ScreenConnect users. While they recognized the severity of the situation, details about the specific number of affected customers, the timeline of the incident, or the identity of the involved threat actor remain undisclosed.

Response Measures Implemented

To address the breach, ConnectWise has engaged Google Mandiant, a cybersecurity firm, to carry out a thorough forensic investigation. This proactive step is aimed at understanding the extent of the breach and improving security measures. The company has also reached out to all customers who may have been impacted, ensuring they are informed and aware of the ongoing situation.

Previous Vulnerabilities and Concerns

Earlier this year, ConnectWise addressed a critical vulnerability identified as CVE-2025-3935, which had a high severity rating (CVSS score: 8.1). This flaw was present in ScreenConnect versions 25.2.3 and earlier and allowed attackers to execute ViewState code injection attacks through publicly available ASP.NET machine keys. Microsoft had previously warned about this vulnerability and its exploitation by malicious actors.

In response to these threats, ConnectWise released an updated version of ScreenConnect, 25.2.4, which patched the identified security issue. However, it remains unclear if the recent cyber attack was directly linked to this vulnerability.

Enhanced Security Measures Post-Incident

Following the incident, ConnectWise has implemented additional monitoring and hardening techniques across its systems to safeguard against future attacks. The company has reassured its clients by stating that they have not observed any ongoing unusual activity in any customer instances, and they continue to closely monitor the situation.

Historical Context of Cyber Threats

This recent attack is not an isolated event. In early 2024, similar security flaws in ConnectWise’s ScreenConnect software were exploited by various cybercriminals and nation-state actors from countries including China, North Korea, and Russia. These vulnerabilities (CVE-2024-1708 and CVE-2024-1709) were used to deliver various malicious payloads, raising alarms in the cybersecurity community about the susceptibility of software tools widely used across industries.

Conclusion

The ConnectWise incident underscores the increasing risk of cyber threats targeting software solutions that enable remote access and support. As organizations continue to rely on these technologies, vigilance and robust security measures become paramount to protect sensitive data and maintain trust with customers. The investigation into the recent breach by Google Mandiant will likely shed light on the motivations and methods of the attackers involved, offering critical insights for the future.

Stay informed about developments in cybersecurity and best practices to protect your systems. Follow us on Twitter and LinkedIn for more updates.