ConnectWise, the developer of remote access and support software ScreenConnect, has disclosed that it was the victim of a cyber attack that it said was likely perpetrated by a nation-state threat actor.
“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation-state actor, which affected a very small number of ScreenConnect customers,” the company said in a brief advisory on May 28, 2025.
The company said it has engaged the services of Google Mandiant to conduct a forensic probe into the incident and that it has notified all affected customers. The incident was first reported by CRN.
However, it did not reveal the exact number of customers who were impacted by the hack, when it happened, or the identity of the threat actor behind it.
It’s worth noting that the company, in late April 2025, patched CVE-2025-3935 (CVSS score: 8.1), a high-severity vulnerability in ScreenConnect versions 25.2.3 and earlier that could be exploited for ViewState code injection attacks using publicly disclosed ASP.NET machine keys – a technique Microsoft disclosed earlier this February as being actively exploited by bad actors.
The issue was addressed in ScreenConnect version 25.2.4. That said, it’s currently not known if the cyber attack is linked to the exploitation of the vulnerability.
ConnectWise said it has implemented enhanced monitoring and hardening measures across its environment to prevent such attacks from happening again in the future.
“We have not observed any further suspicious activity in any customer instances,” it added, stating it’s closely monitoring the situation.
In early 2024, security flaws in ConnectWise ScreenConnect software (CVE-2024-1708 and CVE-2024-1709) were exploited by both cybercrime and nation-state threat actors, including those from China, North Korea, and Russia, to deliver a variety of malicious payloads.
ConnectWise Confirms Activity Linked to CVE-2025-3935
In a statement shared with The Hacker News, ConnectWise confirmed that the malicious activity is linked to the exploitation of CVE-2025-3935, for which a patch was released on April 24, 2025.
“We have not seen any suspicious ScreenConnect activity since releasing the patch on April 24,” the company said in an updated advisory. “All ScreenConnect customers, including on-premise ScreenConnect customers, should patch their systems, even if not on maintenance.”
CISA Adds CVE-2025-3935 to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on June 2, 2025, added CVE-2025-3935, along with four other flaws affecting ASUS routers and (CVE-2021-32030, CVE-2023-39780) and Craft CMS (CVE-2024-56145, CVE-2025-35939), to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by June 23.
(The story was updated after publication to include a response from ConnectWise confirming the exploitation of CVE-2025-3935.)
