IT incident at Connectwise: State cyber criminals broke in
State "supported" criminals have apparently broken into Connectwise. They have accessed some ScreenConnect customers.
(Image: Black_Kira/Shutterstock.com)
Connectwise is currently not only struggling with attacks on vulnerabilities in its ScreenConnect remote maintenance software. The company has announced that state-sponsored criminals have apparently broken into the provider's networks.
According to Connectwise's security announcement, the IT incident took place at the end of May. “ConnectWise recently discovered suspicious activity in our environment that, we believe, is associated with an advanced state actor and affects a very small number of ScreenConnect customers,” the company writes. The incident dates back to May 28.
Investigations are still ongoing
Connectwise has involved the IT forensics experts from Google's subsidiary Mandiant in the investigation. All affected customers have been informed, and the company is also coordinating with law enforcement. With Mandiant's support, Connectwise has set up extended monitoring and taken hardening measures across the entire IT environment.
Videos by heise
Connectwise has not observed any further suspicious activity in any customer instances. After installing the security update from the end of April for ScreenConnect on the cloud instances, nothing suspicious occurred there. This apparently refers to a vulnerability that allows attackers to inject malicious code due to a ViewState code injection vulnerability (CVE-2025-3935 / EUVD-2025-12502, CVSS 8.1, risk “high”).
Details on the attacks and their effects are rather sparse: previous investigation results indicate that the incident was limited to ScreenConnect, and apparently the cloud instances. Connectwise can not yet say whether the breach was caused by the aforementioned security vulnerability. The company therefore recommends applying the security updates from April for on-premises installations.
The manufacturer is currently concentrating on identifying affected partners and their systems and limiting the impact of the cyberattack. After all, it is probably not a ransomware attack: “The suspicious activity has been linked to a state threat actor known for intelligence gathering,” Connectwise explains.
(dmk)
