ConnectWise, the company behind the remote access and support platform ScreenConnect, has confirmed it was targeted in a cyberattack believed to have been carried out by a sophisticated nation-state threat actor.
In a brief advisory report published on May 28, 2025, the company stated, “ConnectWise recently identified suspicious activity within our systems that we believe is linked to a nation-state actor. The incident impacted only a very small number of ScreenConnect customers.”
To investigate the breach, ConnectWise has brought in cybersecurity firm Google Mandiant for a comprehensive forensic analysis. The company also said it has notified all customers affected by the incident, which was initially reported by CRN.
However, ConnectWise has not disclosed key details such as the exact number of affected customers, when the breach occurred, or which threat actor is responsible.
Notably, in late April 2025, the company addressed CVE-2025-3935—a high-severity vulnerability (CVSS score: 8.1) affecting ScreenConnect versions 25.2.3 and earlier. This flaw could be exploited via ViewState code injection attacks using publicly exposed ASP.NET machine keys, a method Microsoft flagged in February 2025 as actively used by threat actors. The vulnerability was patched in version 25.2.4, though it’s unclear whether it played a role in the recent attack.
In response to the incident, ConnectWise said it has strengthened its monitoring and security protocols to mitigate future threats.
“We have not detected any further suspicious activity across customer instances,” the company added, emphasizing that it continues to monitor the situation closely.
This is not the first time ConnectWise’s software has been targeted. In early 2024, vulnerabilities in ScreenConnect (CVE-2024-1708 and CVE-2024-1709) were exploited by both cybercriminals and nation-state actors from countries such as China, North Korea, and Russia to deploy various malicious payloads.