IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customers.

“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,” ConnectWise shared in a brief advisory.

“We have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all affected customers and are coordinating with law enforcement.”

ConnectWise is a Florida-based software company that provides IT management, RMM (remote monitoring and management), cybersecurity, and automation solutions for managed service providers (MSPs) and IT departments.

One of its products is ScreenConnect, a remote access and support tool that allows technicians to securely connect to client systems for troubleshooting, patching, and system maintenance.

As first reported by CRN, the company now says it has implemented enhanced monitoring and hardened the security across its network.

They also state that they have not seen any further suspicious activity in customer instances.

ConnectWise did not answer BleepingComputer’s questions about how many customers were impacted, when the breach occurred, or whether any malicious activity was observed in customers’ ScreenConnect instances.

However, a source told BleepingComputer that the breach occurred in August 2024, with ConnectWise discovering the supicious activity in May 2025, and that it only impacted cloud-based ScreenConnect instances. BleepingComputer has not been able to independently confirm the breach dates.

Jason Slagle, President of managed service provider CNWR, told BleepingComputer that only a very small number of customers were impacted, suggesting the threat actor carried out a targeted attack against specific organizations.

In a Reddit thread, customers shared further details, stating the incident is linked to a ScreenConnect vulnerability tracked as CVE-2025-3935, patched on April 24.

The CVE-2025-3935 flaw is a high-severity ViewState code injection bug caused by unsafe deserialization of ASP.NET ViewState in ScreenConnect versions 25.2.3 and earlier.

Threat actors with privileged system-level access can steal the secret machine keys used by a ScreenConnect server and utilize them to craft malicious payloads that trigger remote code execution on the server.

While ConnectWise did not state that this vulnerability was exploited at the time, it was marked as “High” priority, indicating it was either actively exploited or carried a significant risk of exploitation.

The company also stated that the flaw was patched on its cloud-hosted ScreenConnect platforms at “screenconnect.com” and “hostedrmm.com” before it was publicly disclosed to customers.

As the breach only impacted cloud-hosted ScreenConnect instances, it’s possible that threat actors first breached ConnectWise’s systems and stole the machine keys.

Using those keys, attackers could conduct remote code execution on the company’s ScreenConnect servers and potentially access customer environments.

However, it should be noted that ConnectWise has not confirmed whether this was how customer’s instances were breached.

Customers who spoke to BleepingComputer are frustrated by the lack of indicators of compromise (IOCs) and information shared by ConnectWise, leaving them with little information on what happened.

Last year, a ScreenConnect flaw tracked as CVE-2024-1709 was exploited by ransomware gangs and a North Korean APT hacking group to run malware.

BleepingComputer sent additional questions to ConnectWise but has not heard back at this time.