ConnectWise, a provider of IT management solutions, experienced a suspected state-sponsored cyberattack impacting a limited number of ScreenConnect customers. The breach was linked to a high-severity vulnerability (CVE-2025-3935) and potentially involved the theft of machine keys used for remote code execution. #CVE-2025-3935 #ScreenConnect #Mandiant
Keypoints
- ConnectWise detected suspicious activity linked to a nation-state actor in its environment.
- The breach affected only cloud-hosted ScreenConnect instances, possibly via stolen system keys.
- The vulnerability CVE-2025-3935 involved unsafe deserialization in older ScreenConnect versions.
- ConnectWise quickly patched the flaw on its cloud platforms and enhanced security measures.
- Customer awareness is low due to limited disclosures and lack of indicators of compromise.