Attackers breached ConnectWise, compromised customer ScreenConnect instances

A suspected “sophisticated nation state actor” has compromised ScreenConnect cloud instances of a “very small number” of ConnectWise customers, the company has revealed on Wednesday.

“We have not observed any additional suspicious activity in ScreenConnect cloud instances since the patch was released on April 24,” they added on Friday.

The patch in question fixes CVE-2025-3935, a ViewState deserialization vulnerability affecting ScreenConnect versions 25.2.3 and earlier, which can allow attackers to inject malicious code and achieve unauthenticated remote code execution on the underlying server.

What happened?

ConnectWise is a Florida-based company that develops a software solutions tailored for managed service providers (MSPs), IT departments, and technology solution providers (TSPs).

ScreenConnect is the company’s popular remote support/access offering, which can be hosted by ConnectWise on their cloud infrastructure or self-hosted by organizations on their own dedicated physical or virtual infrastructure or in their private cloud.

ConnectWise mentioned suspicious activity within their environment, which points to customer instances hosted by ConnectWise having been compromised – apparently before the April 24 patch (for CVE-2025-3935) was deployed.

The company’s initial security event advisory was short, and the Frequently Asked Questions (FAQ) section added on Friday failed to provide more clarity about how the compromise happened.

ConnectWise confirmed that Mandiant’s forensic experts are helping them investigate the intrusion. We’ve reached out to ConnectWise for more information, but they simply pointed us to the sparse advisory.

“Our investigation is ongoing, and we will share additional information as we are able,” the company said.

About CVE-2025-3935

ScreenConnect is built using ASP.NET, a web framework developed by Microsoft for building web applications and services.

ASP.NET Web Forms uses ViewState to remember the state of a web page between visits, and it does so by converting the relevant data to a string, encoding with Base64, and putting it in the web page’s __VIEWSTATE hidden field. To protect this data against tampering, ASP.NET employs machine keys.

But if attackers get their hands on these keys, they can craft a malicious ViewState and send it via a POST request to the website. The website will think the data is safe and will run it, thus allowing attackers to remotely execute potentially malicious code on the website’s server.

The success of the attack thus hinges on the attackers attaining privileged access to extract the machine keys and, of course, on them knowing how to exploit the deserialization flaw.

ConnectWise’s developers have mitigated this risk by pushing out the ScreenConnect 2025.4 patch, which disables ViewState and removes any dependency on it.

Unfortunately, it seems that attackers have managed to exploit this vulnerability before the patch has been implemented: according to a (professed) affected customer’s complaint on Reddit, the compromise of their instance occurred in November 2024.

The vulnerability, as it affects ScreenConnect, has been labeled CVE-2025-3935, though the issue effectively impacts any product using ASP.NET framework / ViewState, the ConnectWise pointed out.

A similar vulnerability has also been exploited by attackers to compromise Gladinet’s CentreStack and Triofox file sharing and remote access platforms: CVE-2025-30406 stemmed from hardcoded machine keys that allowed attackers to successfully forge ViewState data.

Financially motivated threat actors and government-backed attackers have notoriously exploited a ScreenConnect vulnerability last year, but ConnectWise says that this latest attack is not related to it.

“[This recently discovered] suspicious activity has been tied to a nation state threat actor that is known for intelligence collection,” the company shared.

UPDATE (June 4, 2025, 04:05 a.m. ET):

CISA has added CVE-2025-3935 to its Known Exploited Vulnerabilities catalog.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!