ConnectWise, a global provider of IT management software, is investigating a potential cyber attack by an ‘adversary’ believed to be a nation-state.
The vendor revealed to The Hacker News that the incident plagued only a small number of customers leveraging its ScreenConnect remote support and remote access software, which, as we reported last month, is being widely used by managed service providers (MSPs) from across the world.
In a statement issued late yesterday, ConnectWise said it had hired leading security firm Mandiant to investigate the incident in detail. Police have also been alerted and are working together on the investigation.
Although the extent and effect of the possible breach are still the subject of investigation, ConnectWise has responded promptly to close off that avenue of attack.” This covers a fix for the ScreenConnect flaw – tracked as CVE-2025-3935 - as well as additional monitoring and security hardening on its infrastructure.
The bug, a ViewState code injection flaw, is rated as high severity and could pave the way for attackers with existing access privileges to the affected servers to run malicious code.
The news has reverberated throughout the cybersecurity community and among ConnectWise’s vast customer base, which includes multitudes of MSPs that in turn oversee the IT systems of countless other enterprises. This has raised the possibility of a supply chain attack whereby a breach of ConnectWise could result in widespread secondary infections of its clients’ networks.
ConnectWise has claimed it has reached out to all impacted users and has not seen any additional abnormal activity within ScreenConnect cloud instances postpatch. However, little information about the timing of the attacks, or, the suspected nation-state actor behind the attacks and the type of data that was compromised.
Cunningham and other security pros stress the crucial need for ConnectWise to be quick and open with communicating with its clients. According to Huntress, MSPs are especially called upon to check their networks for signs of compromise and to update their systems with the newest patches as soon as possible.
The incident illustrates how nation-state attackers have been getting more audacious and technically capable when it comes to targeting software vendors specifically to be able to essentially gain a beachhead to then reach more broadly into customer ecosystems.
The investigation is on-going, however, and ConnectWise has pledged to provide more details when they become available. The suspected nation-state attack, and its potential reverberations, kept the cybersecurity world on edge.
