ConnectWise, a prominent provider of IT management solutions, has confirmed it was the target of a sophisticated cyberattack in May 2025, attributed to a nation-state actor.
The breach, which exploited a critical bug in the company’s ScreenConnect cloud platform, has put the internal data of a limited number of customers at risk.
The attack specifically impacted users of ConnectWise’s ScreenConnect cloud service, a widely utilized tool for remote support and system maintenance.
Upon discovery, ConnectWise engaged forensic cybersecurity experts from Mandiant, notified affected customers, and initiated coordination with law enforcement agencies.
The company says it has implemented enhanced monitoring and security hardening measures and no further suspicious activity has been detected in customer environments.
The root of the breach has been identified as a high-severity vulnerability within ScreenConnect, tracked as CVE-2025-3935 (CVSS 8.1).
This critical flaw allowed attackers with privileged system-level access to run remote code through ViewState code injection, leveraging unsafe deserialization in the ASP.NET framework.
While ConnectWise has not officially disclosed the precise exploitation method, cybersecurity researchers and community reports suggest the attackers may have compromised machine keys from the cloud infrastructure.
This would have enabled them to craft malicious payloads, leading to unauthorized access.
The vulnerability stems from the ASP.NET ViewState mechanism, which is designed to preserve page and control states between client and server interactions.
ViewState data is Base64 encoded and secured by machine keys – specifically, the ValidationKey for Message Authentication Code (MAC) generation and the DecryptionKey for encryption.
ConnectWise has released a critical security patch, version 25.2.4, to address the ViewState vulnerability.
All ScreenConnect cloud servers have been proactively updated.
On-premises users are strongly urged to upgrade immediately.
In addition to patching, ConnectWise recommends that all users enhance their monitoring for indicators of compromise (IoCs) to further bolster their defenses against potential residual threats.
Founded in 1982 and headquartered in Tampa, Florida, ConnectWise has established itself as a leading software company dedicated to managed service providers (MSPs).
The company serves thousand of small and midsized businesses globally through its comprehensive suite of business management solutions.
ConnectWise empowers MSPs with all-in-one tools: RMM, UMM, SOC, NOC, and Cybersecurity.
ConnectWise’s flagship innovation is the Asio platform, the world’s first true MSP platform providing unprecedented flexibility and security with built-in artificial intelligence, robotic process automation, and machine learning capabilities.
