Attackers Breach ConnectWise, Compromise Customer ScreenConnect Instances

On Wednesday, IT management software provider ConnectWise disclosed that it had become the target of a cyberattack, leading to the compromise of a limited number of customer instances of its remote access tool, ScreenConnect.

The breach was reportedly perpetrated by a “sophisticated nation-state actor”.

The ScreensConnect CVE-2025-3935 Vulnerability

The breach was made possible due to a ViewState deserialization vulnerability in ScreenConnect, classified as CVE-2025-3935, which affects versions 25.2.3 and earlier.

This vulnerability enables an attacker to execute arbitrary commands on the server by injecting malicious code.

While the vulnerability has been patched as of April 24th, it is believed that the attackers were able to exploit it prior to the patch deployment, potentially impacting any ScreenConnect instances that hadn’t been updated swiftly.

Immediate Response and Damage Control

ConnectWise took swift remedial action following the discovery of the breach, providing customers with both immediate and long-term recommended actions.

This included rolling out patches and guiding customers to ensure their systems were upgraded to ScreenConnect version 25.3.4, which is not affected by CVE-2025-3935.

Acknowledging the seriousness of the breach, ConnectWise stated, “We have not observed any additional suspicious activity in ScreenConnect cloud instances since the patch was released.”

Key Takeaways for Cybersecurity Professionals

This incident underscores the need for prompt patch management and the ongoing vigilance required to detect and respond to similar breaches promptly.

Additionally, any software with remote access capabilities can be a potential gateway for attackers, and therefore, it is essential to keep such tools up-to-date and monitored for signs of unusual activity.

Cybersecurity professionals should view this incident as a reminder of the importance of implementing stringent access controls and deploying proactive threat intelligence measures.

Furthermore, as nation-state actors continue to increase their cyber activities, it should serve as a wake-up call to allocate enhanced resources towards advanced threat detection and prompt incident response strategies.

Follow-Up Reading

1. CSO Online: Cybersecurity news, analysis, and insights

2. Krebs on Security: In-depth security news and investigation

3. Dark Reading: Connecting the information security community