ConnectWise, the developer of remote access and support software ScreenConnect, has disclosed that it was the victim of a cyber attack that it said was likely perpetrated by a nation-state threat actor.
“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation-state actor, which affected a very small number of ScreenConnect customers,” the company said in a brief advisory on May 28, 2025.
The company said it has engaged the services of Google Mandiant to conduct a forensic probe into the incident and that it has notified all affected customers. The incident was first reported by CRN.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
However, it did not reveal the exact number of customers who were impacted by the hack, when it happened, or the identity of the threat actor behind it.
It’s worth noting that the company, in late April 2025, patched CVE-2025-3935 (CVSS score: 8.1), a high-severity vulnerability in ScreenConnect versions 25.2.3 and earlier that could be exploited for ViewState code injection attacks using publicly disclosed ASP.NET machine keys – a technique Microsoft disclosed earlier this February.
The issue was addressed in ScreenConnect version 25.2.4. That said, it’s currently not known if the cyber attack is linked to the exploitation of the vulnerability.
ConnectWise said it has implemented enhanced monitoring and hardening measures across its environment to prevent such attacks from happening again in the future.
“We have not observed any further suspicious activity in any customer instances,” it added, stating it’s closely monitoring the situation.
In early 2024, security flaws in ConnectWise ScreenConnect software (CVE-2024-1708 and CVE-2024-1709) were exploited by both cybercrime and nation-state threat actors, including those from China, North Korea, and Russia, to deliver a variety of malicious payloads.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Meta Disrupts Influence Ops Targeting Romania, Azerbaijan, and Taiwan with Fake Personas