Blog

Nation-State-Linked Cyberattack Breaches ConnectWise ScreenConnect Instances

connectwise

Executive Summary

On May 29, 2025, ConnectWise publicly disclosed a cybersecurity breach targeting its ScreenConnect remote access platform. The attack, attributed to a sophisticated nation-state threat actor, compromised a limited number of customer environments. ConnectWise has since engaged cybersecurity firm Mandiant, implemented network hardening, and has not observed further suspicious activity.

This incident underscores the persistent targeting of Managed Service Providers (MSPs) and their tools by advanced adversaries, with potential implications across multiple customer environments and critical infrastructure sectors.

Incident Overview

Impacted Organization:
ConnectWise, a provider of IT management and remote access tools, including ScreenConnect.

Date of Disclosure:
May 29, 2025

Type of Incident:
Cyberattack linked to a nation-state threat actor

Impacted System:
Cloud-hosted instances of ScreenConnect

Discovery:
The breach was discovered internally by ConnectWise, prompting an immediate investigation in collaboration with Mandiant.

Technical Details

Suspected Attack Vector:
While ConnectWise has not confirmed the exploit used, the security community has pointed to the possible use of a recently patched vulnerability—CVE-2025-3935—which affects ASP.NET ViewState deserialization. If exploited, it could allow attackers with administrative privileges to extract machine keys and execute remote code.

Patch Timeline:
The vulnerability was patched by ConnectWise on April 24, 2025, ahead of public disclosure.

Scope of Impact:
Only cloud-based ScreenConnect customers were affected. The exact number has not been disclosed.

Indicators of Compromise:
No public IOCs have been released at this time. Organizations are advised to audit authentication logs, privilege escalations, and outbound network activity from remote access hosts.

Organizational Response

  • Incident Response Partner: Mandiant

  • Actions Taken:

    • Enhanced internal monitoring and detection capabilities

    • Hardened security across all ConnectWise environments

    • Customer notifications issued

    • Law enforcement engaged

ConnectWise confirmed that no suspicious activity has been observed in any other customer environments since response measures were enacted.

Risks and Implications

This breach is a reminder that third-party software providers, especially those with privileged access into multiple networks, are prime targets for cyber-espionage and other high-impact operations. Organizations using ScreenConnect or similar remote tools should evaluate:

  • The timeliness of vulnerability patching

  • Centralized access controls and MFA enforcement

  • Internal segmentation to restrict lateral movement

  • Continuous threat detection for abnormal remote sessions

Recommendations for Critical Path Security Clients and Partners

  • Patch Management: Ensure all remote access software, especially ScreenConnect, is up to date.

  • Access Review: Audit administrative accounts and enforce least privilege.

  • Threat Hunting: Conduct proactive threat hunts across remote session logs.

  • MDR & XDR Monitoring: Leverage Léargas XDR capabilities to detect anomalous behaviour tied to remote access platforms.

  • Engage with Vendors: Ensure there is a well-defined incident communication process with third-party providers.

Conclusion

The ConnectWise breach reinforces the importance of real-time visibility, secure configuration management, and trusted relationships with third-party vendors. Critical Path Security Security continues to monitor developments and recommends immediate action by all organizations using remote access platforms.

References

  1. BleepingComputer. (2025, May 29). ConnectWise breached in cyberattack linked to nation-state hackers. Retrieved from: https://www.bleepingcomputer.com/news/security/connectwise-breached-in-cyberattack-linked-to-nation-state-hackers/

  2. CRN. (2025). ConnectWise Confirms ScreenConnect Cyberattack, Says Systems Now Secure. Retrieved from: https://www.crn.com/news/channel-news/2025/connectwise-confirms-screenconnect-cyberattack-says-systems-now-secure-exclusive

  3. NIST National Vulnerability Database. CVE-2025-3935. Retrieved from: https://nvd.nist.gov/vuln/detail/CVE-2025-3935