ConnectWise reports a breach linked to a suspected state-sponsored threat actor affecting a small number of customers using ScreenConnect. The company, working with Mandiant and law enforcement, has patched a critical vulnerability (CVE-2025-3935) exploited for remote code execution. #CVE-2025-3935 #ScreenConnect
Keypoints
- ConnectWise identified suspicious activity tied to a nation-state actor in their network.
- The incident affected a small group of ScreenConnect customers and prompted an investigation with Mandiant.
- The security flaw was caused by CVE-2025-3935, a high-severity ViewState code injection vulnerability.
- Exploit required attackers to obtain ASP.NET machine keys, needing privileged access.
- ConnectWise issued patches in April 2025 after Microsoft detected misuse of ASP.NET keys in the wild.
Read More: https://www.securityweek.com/connectwise-discloses-suspected-state-sponsored-hack/