ConnectWise, the developer of remote access and support software ScreenConnect, has disclosed that it was the victim of a cyber attack that it said was likely perpetrated by a nation-state threat actor.
“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation-state actor, which affected a very small number of ScreenConnect customers,” the company said in a brief advisory on May 28, 2025.
The company said it has engaged the services of Google Mandiant to conduct a forensic probe into the incident and that it has notified all affected customers. The incident was first reported by CRN.
However, it did not reveal the exact number of customers who were impacted by the hack, when it happened, or the identity of the threat actor behind it.
It’s worth noting that the company, in late April 2025, patched CVE-2025-3935 (CVSS score: 8.1), a high-severity vulnerability in ScreenConnect versions 25.2.3 and earlier that could be exploited for ViewState code injection attacks using publicly disclosed ASP.NET machine keys – a technique Microsoft disclosed earlier this February.
The issue was addressed in ScreenConnect version 25.2.4. That said, it’s currently not known if the cyber attack is linked to the exploitation of the vulnerability.
ConnectWise said it has implemented enhanced monitoring and hardening measures across its environment to prevent such attacks from happening again in the future.
“We have not observed any further suspicious activity in any customer instances,” it added, stating it’s closely monitoring the situation.
In early 2024, security flaws in ConnectWise ScreenConnect software (CVE-2024-1708 and CVE-2024-1709) were exploited by both cybercrime and nation-state threat actors, including those from China, North Korea, and Russia, to deliver a variety of malicious payloads.
