ConnectWise Discloses Suspected State-Sponsored Hack

IT management software provider ConnectWise has warned customers that a suspected state-sponsored threat actor had breached its network.

“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,” the company said in a scarce advisory.

The Florida-based company says it has notified all impacted customers and that it is investigating the incident together with Mandiant. Law enforcement has been notified as well.

“As part of our work with Mandiant, we implemented enhanced monitoring and hardening measures across our environment. We have not observed any further suspicious activity in any customer instances,” the company said.

“We are closely monitoring the situation and will share additional information as we are able,” ConnectWise said, responding to a SecurityWeek inquiry. The company refrained from sharing additional information on the incident.

According to posts on Reddit, the intrusion likely occurred in November 2024 and ConnectWise has since identified and addressed the underlying vulnerability.

The security defect appears to be CVE-2025-3935, a high-severity vulnerability that exposed ScreenConnect versions 25.2.3 and earlier to ViewState code injection attacks, allowing remote attackers to execute arbitrary code on the server.

Successful exploitation of the bug requires that an attacker obtains machine keys that protect ViewState, for which they would first require privileged system level access.

ConnectWise announced patches for the flaw on April 24, when it revealed that it had learned of the issue from Microsoft, which observed in-the-wild “misuse of publicly available ASP.NET machine keys to inject malicious code and deploy a post-exploitation framework” in December 2024.

“Microsoft found that publicly accessible keys were being utilized to perform malicious actions on servers generally,” ConnectWise said, pointing out that any product utilizing ASP.NET framework ViewStates was likely affected.

ConnectWise ScreenConnect, a popular self-hosted remote desktop application that provides asset management, remote work, and technical support capabilities, is known to have been targeted in the wild before, to compromise enterprise networks for data theft and ransomware deployment.

*Updated with ConnectWise response.

Related: Companies Warned of Commvault Vulnerability Exploitation

Related: Printer Company Procolored Served Infected Software for Months

Related:Trump Coins Used as Lure in Malware Campaign