ConnectWise ScreenConnect Breach and CVE-2025-3935: What You Need to Know

In late May 2025, ConnectWise, a well-known provider of IT management and remote monitoring solutions, revealed a significant cybersecurity incident impacting its ScreenConnect remote access platform. The breach, linked to a suspected nation-state adversary, drew attention to the growing risks in software supply chains, especially for Managed Service Providers (MSPs) relying on remote access tools.

This article examines the breach details, the underlying vulnerability (CVE-2025-3935), the impact assessment, and important lessons and steps organizations should take to defend themselves.

Incident Overview – What Happened?

ConnectWise announced the detection of suspicious activity within its environment, linked to a sophisticated, state-sponsored threat actor. This intrusion affected a small number of customers using the ScreenConnect cloud-hosted solution – a remote support tool that enables IT teams to connect and manage client systems.

Although the incident was publicly disclosed on May 28, 2025, the attacker’s initial access may date back to August 2024. The breach was confined to cloud-based ScreenConnect instances, with no indication that on-premise versions were involved.

To investigate, ConnectWise engaged cybersecurity firm Mandiant and collaborated with law enforcement. The company implemented enhanced network monitoring and strengthened security controls across its infrastructure. According to the official Security Event Advisory published on May 28, 2025, no further suspicious activity has been observed in customer environments since the patch was applied.

The advisory also confirmed that the breach impacted only a very limited number of ScreenConnect cloud customers. There is no evidence of ransomware or broader malicious campaigns; the activity appears consistent with intelligence-gathering efforts by a nation-state actor.

On-premise ScreenConnect deployments remain secure if properly patched. ConnectWise has proactively contacted all affected customers to provide support and remediation guidance.

Unpacking the Vulnerability: CVE-2025-3935

Central to the breach is the high-severity flaw identified as CVE-2025-3935 (CVSS 7.2), a ViewState code injection vulnerability in ASP.NET Web Forms, which ScreenConnect employs. This vulnerability was addressed in ScreenConnect version 25.2.4, released on April 24, 2025.

Vulnerability card of CVE-2025-3935 (SOCRadar Vulnerability Intelligence)

Gain real-time, actionable insights on the latest vulnerabilities with SOCRadar’s Vulnerability Intelligence, provided under the Cyber Threat Intelligence module. It collects and analyzes data from thousands of trusted sources to give you full visibility of the global vulnerability landscape. Identify relevant threats quickly, prioritize them using contextual scoring and predictive insights, and access key details including updates, Proof-of-Concept (PoC) exploits, and exploitability to guide your remediation efforts.

What Is ViewState and Why Is It Important?

Within ASP.NET applications, ViewState is a mechanism that preserves the state of web pages and controls between postbacks by storing encoded data in a hidden field on the client side. To protect this information from tampering, ASP.NET relies on cryptographic machine keys – specifically, the ValidationKey and DecryptionKey – to validate and decrypt the ViewState content.

How the CVE-2025-3935 Vulnerability Works

If an attacker obtains privileged access to the server, they can steal these machine keys. With the keys, the attacker can craft malicious ViewState payloads that the server trusts and executes upon receipt. This unsafe deserialization leads to Remote Code Execution (RCE) in the server process, effectively allowing the attacker to run arbitrary code inside the target system.

Microsoft’s detailed analysis, as referred to in ConnectWise’s April security advisory, explains how misuse of publicly exposed machine keys enables such attacks, and ConnectWise’s ScreenConnect was vulnerable due to unsafe deserialization practices prior to patching.

Possible Exploitation Scenario

While ConnectWise has not officially confirmed the exact method of exploitation, various cybersecurity researchers, community reports, and accounts from affected customers point to the likely use of the ViewState injection vulnerability tracked as CVE-2025-3935.

The attack progression may involve the following steps:

1. The adversary first compromises ConnectWise’s cloud infrastructure to gain privileged access.
2. Using stolen machine keys from the breached environment, they could trigger RCE on vulnerable ScreenConnect cloud instances.
3. This allows the threat actor to manipulate the environment and potentially access connected customer systems through ScreenConnect’s remote access capabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recognized the severity of the flaw by adding CVE-2025-3935 to its Known Exploited Vulnerabilities catalog on June 2, 2025, mandating prompt patching by the due date of June 23, 2025.

SOCRadar’s Attack Surface Management module, Company Vulnerabilities page

Protect your digital footprint with SOCRadar’s Attack Surface Management (ASM). The ASM module continuously discovers and monitors your entire external attack surface, identifying unknown assets, misconfigurations, and vulnerabilities before attackers do. Additionally, stay compliant and reduce risk by leveraging the CISA KEV Check feature, which ensures you promptly address critical vulnerabilities flagged by CISA.

Recommended Actions for ScreenConnect Users

If you operate or support environments using ScreenConnect, either cloud-hosted or on-premises, consider taking the following steps.

Patch Promptly:

• Cloud Customers: No action required as ConnectWise has already patched hosted ScreenConnect servers.
• On-premises Customers: Immediately update to ScreenConnect version 25.2.4 or higher. The upgrade path must be followed sequentially from versions 22.8 → 23.3 → 25.2.4 to ensure full remediation.
• Detailed upgrade instructions are available via ConnectWise’s official advisories.

Review and Harden Access Controls:

• Restrict privileged access to machine keys and related credentials to only essential personnel.
• Implement vaulting or secure key management solutions to safeguard cryptographic materials.
• Rotate machine keys regularly to reduce risk in case of compromise.

Enhance Monitoring Capabilities:

• Deploy logging with alerts for anomalous activity in remote access tools.
• Use behavioral analysis and threat detection tools to identify unusual access patterns.
• Collaborate with trusted cybersecurity firms if internal expertise is limited.

Stay Informed and Prepared:

• Follow official advisories from ConnectWise and trusted security entities.
• Monitor updates from CISA and other government security agencies concerning vulnerability disclosures and remediation timelines.