
ConnectWise, a company specializing in software for managing IT infrastructure, has disclosed a security breach within its environment, reportedly the result of a targeted cyberattack attributed to a foreign state actor. According to the company, the incident affected only a limited number of users of its cloud-based ScreenConnect service, a tool used for remote access and technical support.
In its official statement, ConnectWise reported having identified “suspicious activity” linked to a “sophisticated nation-state level threat actor.” An internal investigation is underway, conducted in collaboration with a team of external experts. Affected clients have been notified, and law enforcement agencies have been engaged. The company claims to have implemented enhanced monitoring and fortified security measures across its network. It further noted that no suspicious activity has been observed originating from its customers’ systems.
ConnectWise has not disclosed the number of impacted users, the precise timing of the breach, or whether any malicious behavior occurred within the compromised instances of ScreenConnect. However, a source indicated that the intrusion likely took place as early as August 2024, with ConnectWise only detecting signs of the breach in May 2025. The vulnerability appears to have affected only the cloud-hosted versions of ScreenConnect, specifically those deployed on the domains screenconnect.com and hostedrmm.com.
Clients involved in the incident and participants in discussions on Reddit suggested that the breach may be connected to vulnerability CVE-2025-3935. This high-priority flaw stems from insecure deserialization in the ASP.NET ViewState mechanism, potentially allowing attackers to execute arbitrary code on the server by tampering with data — provided they have obtained the machine keys. This vulnerability was patched on April 24, 2025, with fixes deployed across cloud platforms prior to any official user notification.
Although ConnectWise has not confirmed that CVE-2025-3935 was the specific exploit used in the attack, the nature of the flaw suggests that the attackers may have first gained access to the company’s internal systems and encryption keys, subsequently leveraging them to execute server-side code. This would have opened a potential pathway for intrusions into client environments via managed ScreenConnect cloud instances.
A representative from CNWR indicated that a very limited number of clients were affected, suggesting a highly targeted operation. Nonetheless, user frustration has mounted due to ConnectWise’s failure to publish indicators of compromise (IoCs) or provide technical details essential for assessing the broader impact.
It is worth recalling a similar event in 2024, when vulnerability CVE-2024-1709 in ScreenConnect was exploited by ransomware operators and a North Korean threat group to deploy malicious payloads. Despite past lessons, users once again find themselves hindered by a lack of transparency, complicating both timely response and risk evaluation.
To date, ConnectWise has yet to disclose technical specifics or the full scope of the breach.