ConnectWise Screen Connect Patched After Exploit by Nation State Actor
ConnectWise published a security advisory on May 28, 2025, disclosing “suspicious activity” in the company’s environment specifically affecting “a very small number of ScreenConnect customers.” The software company is working with Mandiant to implement monitoring and hardening measures and to continue investigation; the advisory alleges the activity was tied to a nation state actor. Just over a month earlier, on April 24, 2025, ConnectWise issued a patched release of ScreenConnect (version 25.2.4) to “reduce the risk of ViewState abuse” in light of an exploited ASP.NET weakness found by Microsoft Threat Intelligence in December 2024. While the patch announcement does not specify the flaw, the company simultaneously released a separate security bulletin announcing a patch for CVE-2025-3935, NVD CVSS score 7.2, which allows an attacker to perform a code injection attack through ScreenConnect by using compromised machine keys and generating a malicious ViewState. The Cybersecurity and Infrastructure Security Agency added this flaw to its Known Exploited Vulnerabilities (KEV) catalog on June 2, 2025. ConnectWise’s May 28 advisory states that no further suspicious activity in ScreenConnect cloud instances has been observed since the April 24 patch, but does not clarify the timeline of the attack, nor the timing of the flaw’s known exploitation relative to the patch, and does not specifically mention CVE-2025-3935.
Editor’s Note
[Neely]
CVE-2025-3935 was being actively exploited. The cloud instance is patched; if you’re an on-premises shop, you need to apply the update. While exploit activity dropped after the cloud environment was patched, the NVD publication will trigger threat actors looking for vulnerable installations. Don’t be that site.
[Neely]
CVE-2025-3935 was being actively exploited. The cloud instance is patched; if you’re an on-premises shop, you need to apply the update. While exploit activity dropped after the cloud environment was patched, the NVD publication will trigger threat actors looking for vulnerable installations. Don’t be that site.
Read more in:
– www.connectwise.com: May 28, 2025 Security Event Advisory
– www.connectwise.com: April 24, 2025 ScreenConnect Security Patch Advisory
– www.connectwise.com: ScreenConnect 25.2.4 Security Patch (April 24, 2025)
– www.darkreading.com: Questions Swirl Around ConnectWise Flaw Used in Attacks
– therecord.media: ConnectWise says nation-state attack targeted multiple ScreenConnect customers
– thehackernews.com: ConnectWise Hit by Cyberattack; Nation-State Actor Suspected in Targeted Breach
– www.bleepingcomputer.com: CISA warns of ConnectWise ScreenConnect bug exploited in attacks
