Warning of attacks on Connectwise, Craft CMS and Asus routers

CISA warns of attacks on security leaks in Connectwise ScreenConnect, Craft CMS and Asus routers. Updates are available.

(Image: heise online / dmk)

Jun 4, 2025 at 11:41 am CEST

2 min. read

Security

By

Dirk Knop

The US IT security authority CISA is currently warning of ongoing attacks on several security vulnerabilities in Connectwise ScreenConnect, Craft CMS and Asus routers. The manufacturers are providing updates to close the security leaks – Admins should install them quickly.

In the warning, CISA only mentions the vulnerabilities and the products on which attacks have been observed in the wild. In the remote maintenance software Connectwise ScreenConnect, the developers patched a vulnerability classified as high-risk with updates at the end of April. The vulnerability involves ViewState code injection, which allows attackers to inject and execute malicious code (CVE-2025-3935 / EUVD-2025-12502, CVSS 8.1, risk “high”). An update to ScreenConnect 25.2.4 or newer fixes the security-relevant bug, which CISA is now monitoring for attacks on the network.

Other systems under attack

In Asus GT-AC2900 routers, criminals are attacking a vulnerability for which the manufacturer has provided firmware updates in 2021 (CVE-2021-32030 / EUVD-2021-18896, CVSS 9.8, risk “critical”). Attackers can also inject unauthorized commands into Asus RT-AX55 routers if the firmware update from 2023 or newer has not been applied – and are now doing so (CVE-2023-39780 / EUVD-2023-43480, CVSS 8.8, risk “high”).

Videos by heise

Online criminals are also attacking vulnerabilities in CraftCMS. Attackers can infiltrate and execute malicious code from the network through one vulnerability (CVE-2024-56145 / EUVD-2024-3545, CVSS 9.3, risk “critical”) and a second vulnerability that, in combination with other vulnerabilities, allows the execution of subverted code (CVE-2025-35939 / EUVD-2025-13951, CVSS 5.3, risk “medium”). Craft CMS 5.7.5 and 4.15.3 as well as newer versions patch the vulnerabilities.

Read also

WinRAR: Code smuggling vulnerability is being attacked

Notepad++ updater installed malware

Patch now! Attacks on React2Shell vulnerability are starting

Green Android figure in front of a lock symbol

Patchday: Attacks on devices with Android 13, 14, 15, and 16 observed

Patch now! Malicious code attacks on Oracle Identity Manager observed

CISA does not provide any further details on the observed attacks. The type and scope is therefore unclear, and information on the detection of (successful) attacks is also missing. However, IT managers with affected products should download and install the available updates as soon as possible.