ConnectWise, a leading provider of IT management solutions, has confirmed a cyberattack believed to be orchestrated by a sophisticated nation-state actor. The breach primarily impacted a limited number of its ScreenConnect customers, a remote access and support tool. An investigation is underway with the assistance of Mandiant, and affected clients have been notified.

Nation-State Actor Suspected in Targeted Breach

ConnectWise disclosed suspicious activity within its environment, attributing it to a sophisticated nation-state actor. The attack specifically targeted a small subset of ScreenConnect customers. While the exact number of affected clients and the timeline of the breach remain undisclosed by ConnectWise, reports suggest the intrusion may have occurred in August 2024, with discovery in May 2025.

Investigation and Remediation Efforts

ConnectWise has engaged Mandiant, a prominent cybersecurity firm, to conduct a thorough forensic investigation into the incident. The company has also informed all impacted customers and is cooperating with law enforcement agencies. As part of their response, ConnectWise has patched the ScreenConnect software and implemented enhanced monitoring and security measures across its infrastructure. No further suspicious activity has been observed since these updates.

Potential Vulnerability Link

The cyberattack may be linked to a high-severity vulnerability in ScreenConnect, tracked as CVE-2025-3935. This flaw, patched in late April 2025, allowed for ViewState code injection through unsafe deserialization of ASP.NET ViewState. While ConnectWise has not explicitly confirmed this vulnerability as the entry point, it was marked as a high priority, indicating a significant risk of exploitation. Previous ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709) were actively exploited by various threat actors, including nation-state groups, in early 2024.

Key Takeaways

• ConnectWise experienced a cyberattack attributed to a sophisticated nation-state actor.

• A small number of ScreenConnect customers were impacted.

• Mandiant is assisting with the forensic investigation.

• ConnectWise has patched ScreenConnect and enhanced security measures.

• A high-severity vulnerability (CVE-2025-3935) may be linked to the breach.

• The company is cooperating with law enforcement and has notified affected customers.

Impact on Customers and Industry

ConnectWise provides critical IT management solutions, including Remote Monitoring and Management (RMM) and cybersecurity tools, primarily to Managed Service Providers (MSPs) and IT departments. The breach underscores the persistent threat posed by sophisticated actors to supply chain software providers. While ConnectWise has not confirmed data exfiltration or system compromise beyond unauthorized access, the incident highlights the importance of robust security practices and timely patching for all organizations utilizing such platforms.

Sources

• ConnectWise suffered a cyberattack carried out by a sophisticated nation state actor, Security Affairs.

• ConnectWise Hit by Cyberattack; Nation-State Actor Suspected in Targeted Breach, The Hacker News.

• ConnectWise breached in cyberattack linked to nation-state hackers, BleepingComputer.