ConnectWise, a Florida-based provider of software solutions for managed service providers, reported on Wednesday that a suspected sophisticated nation-state actor has compromised the ScreenConnect cloud instances of a very limited number of its customers. The company has indicated that it is actively investigating the breach, which was detected before a critical security patch was deployed on April 24, 2025, to address a vulnerability identified as CVE-2025-3935.
The vulnerability in question involves a ViewState deserialization flaw affecting ScreenConnect versions 25.2.3 and earlier, enabling attackers to inject harmful code and gain unauthenticated remote code execution on the server. Following scrutiny of its systems, ConnectWise acknowledged that suspicious activity was detected in its environment that led to the compromise.
ConnectWise’s initial security event advisory was short on details, and additional information provided in a Frequently Asked Questions section failed to clarify how the breach occurred. The company has enlisted the help of Mandiant’s forensic experts to assist in the investigation, emphasizing that it is committed to sharing more information as it becomes available, yet currently remains limited in its public disclosures.
According to ConnectWise, the recent intrusion is believed to be the work of a nation-state threat actor known for intelligence gathering. The company pointed out that the attack did not relate to previously exploited vulnerabilities in ScreenConnect, noting that their developers have released a patch to mitigate risks associated with the identified flaw. The seriousness of this breach highlights the ongoing threat posed by advanced persistent threats and underscores the need for vigilant security measures among companies leveraging cloud-based technologies.
For further details on the vulnerability and security measures, ConnectWise pointed users to their official security bulletin and other relevant sources.