ConnectWise, the developer of distant entry and assist software program ScreenConnect, has disclosed that it was the sufferer of a cyber assault that it stated was possible perpetrated by a nation-state risk actor.
“ConnectWise just lately discovered of suspicious exercise inside the environment that we consider was tied to a classy nation-state actor, which affected a really small variety of ScreenConnect clients,” the corporate stated in a short advisory on Could 28, 2025.
The corporate stated it has engaged the providers of Google Mandiant to conduct a forensic probe into the incident and that it has notified all affected clients. The incident was first reported by CRN.
Nevertheless, it didn’t reveal the precise variety of clients who had been impacted by the hack, when it occurred, or the identification of the risk actor behind it.
It is value noting that the corporate, in late April 2025, patched CVE-2025-3935 (CVSS rating: 8.1), a high-severity vulnerability in ScreenConnect variations 25.2.3 and earlier that might be exploited for ViewState code injection assaults utilizing publicly disclosed ASP.NET machine keys – a method Microsoft disclosed earlier this February as being actively exploited by dangerous actors.
The problem was addressed in ScreenConnect model 25.2.4. That stated, it is at present not recognized if the cyber assault is linked to the exploitation of the vulnerability.
ConnectWise stated it has carried out enhanced monitoring and hardening measures throughout its atmosphere to stop such assaults from occurring once more sooner or later.
“We now have not noticed any additional suspicious exercise in any buyer cases,” it added, stating it is carefully monitoring the scenario.
In early 2024, safety flaws in ConnectWise ScreenConnect software program (CVE-2024-1708 and CVE-2024-1709) had been exploited by each cybercrime and nation-state risk actors, together with these from China, North Korea, and Russia, to ship quite a lot of malicious payloads.
ConnectWise Confirms Exercise Linked to CVE-2025-3935
In a press release shared with The Hacker Information, ConnectWise confirmed that the malicious exercise is linked to the exploitation of CVE-2025-3935, for which a patch was launched on April 24, 2025.
“We now have not seen any suspicious ScreenConnect exercise since releasing the patch on April 24,” the corporate stated in an up to date advisory. “All ScreenConnect clients, together with on-premise ScreenConnect clients, ought to patch their methods, even when not on upkeep.”
(The story was up to date after publication to incorporate a response from ConnectWise confirming the exploitation of CVE-2025-3935.)