ConnectWise ScreenConnect Breach: Nation-State Exploitation via CVE-2025-3935

On May 28, 2025, ConnectWise confirmed a cyberattack on its ScreenConnect cloud infrastructure attributed to a sophisticated nation-state actor. The intrusion affected a limited number of customers and prompted an investigation led by Mandiant. ConnectWise has since patched the vulnerability, implemented enhanced monitoring, and stated no further malicious activity has been observed. While details about the timing and extent of the breach remain undisclosed, the incident underscores the persistent risk posed by legacy systems in the MSP ecosystem.

Severity Level: Critical

How The Breach Happened

The breach is linked to exploitation of CVE-2025-3935, a ViewState code injection vulnerability in ScreenConnect versions 25.2.3 and earlier.

• Technical Detail (CVE-2025-3935):
  • CWE-287: Improper Authentication
  • CVSS Score: 8.1 (High)
  • Exploit Vector: Remote attackers could craft malicious ViewState payloads using compromised ASP.NET machine keys to achieve remote code execution on the server.
  • This required privileged access to obtain the machine keys—indicating the attacker likely already had a foothold or used chained exploits.
• Patch 25.2.4, released on April 24, 2025, mitigated this by disabling ViewState and removing dependency on it.

Data Stolen During The Breach

According to ConnectWise’s statements:

• There is no evidence of data exfiltration.
• The breach was not a ransomware incident, but rather an intelligence-focused operation.
• Only unauthorized access was confirmed, and affected customers were contacted individually.

Impact

• The incident affected a small number of ScreenConnect cloud customers.
• No impact was reported on other ConnectWise services or systems.
• All known affected users were contacted.
• The breach did not cause service outages or widespread compromise.
• No follow-up activity has been observed since the April 24 patch.

Historical Context:

• Related threat actors previously exploited CVE-2024-1708 and CVE-2024-1709 in early 2024.
• Threat actors from China, North Korea, and Russia were linked to earlier attacks against ConnectWise tools.

Lessons Learned

• Though CVE-2025-3935 was patched on April 24, 2025, delayed patch adoption likely allowed exploitation. Patch latency continues to be a systemic vulnerability in both cloud and on-premise environments.
• Exploitation required compromise of machine-level ASP.NET keys, underscoring the need for strict credential lifecycle management, privilege separation, and default deny policies.

Recommendations:

1. Apply CVE-2025-3935 patch (v25.2.4) immediately for all on-premises ScreenConnect instances.
2. Rotate and securely store ASP.NET machine keys.
3. Follow best practices for securing machine keys and web servers:
   • Follow secure DevOps standards and securely generate machine keys. Avoid using default keys or keys listed in public resources.
   • At deployment, encrypt sensitive information like the machineKey and connectionStrings elements in web.config. This prevents these secrets from ever existing in plaintext on the file system, inhibiting an attacker’s ability to read these secrets at all.
   • Upgrade your application to use ASP.NET 4.8 to enable Antimalware Scan Interface (AMSI) capabilities.
   • Harden Windows Servers instances by using attack surface reduction rules such as Block Webshell creation for Servers.

Source:

• https://thehackernews.com/2025/05/connectwise-hit-by-cyberattack-nation.html
• https://www.connectwise.com/company/trust/advisories
• https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4
• https://www.crn.com/news/channel-news/2025/connectwise-confirms-screenconnect-cyberattack-says-systems-now-secure-exclusive

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.