ConnectWise, developer of remote access and support software Screenconnect, revealed that it was the victim of a cyberattack who said it was likely carried out by nation-state threat actors.
“Connectwise recently learned suspicious activities within our environment that we believe are tied to sophisticated nation-state actors who have influenced a very small number of Screen Connect customers,” the company said in a brief recommendation on May 28, 2025.
The company said it had implemented Google Mandiant services to conduct forensic investigations into incidents and notified all affected customers. The incident was first reported by the CRN.
However, they did not reveal the exact number of customers affected by the hack, the identity of the threat actors when it happened or behind it.
It is worth noting that the company patched CVE-2025-3935 (CVSS score: 8.1) in late April 2025, a sophisticated vulnerability in Screen Connect version 25.2.3 that could previously be exploited to watch code injection attacks using published ASP.NET machine keys.
This issue was addressed in screenconnect version 25.2.4. That said, it is currently unclear whether cyberattacks link to vulnerability exploitation.
Connectwise said it has implemented enhanced monitoring and hardening measures throughout the environment to prevent such attacks from occurring again in the future.
“We have not observed any more suspicious activity in our customer instances,” he said, adding that we are closely monitoring the situation.
In early 2024, security flaws in ConnectWise ScreenConnect software (CVE-2024-1708 and CVE-2024-1709) provided various malicious payloads by threat actors, both cybercrime and nation-states, including those from China, North Korea and Russia.
Source link
