Nation-state cybercriminals suspected in risky hacking activities have raised alarm, as noted by ConnectWise.
In a recent development, ConnectWise, a leading provider of remote monitoring and management (RMM) software, is currently investigating a suspected nation-state attack on its ScreenConnect platform. The investigation, aided by cybersecurity firm Mandiant, centres around the exploitation of a high-severity vulnerability, CVE-2025-3935, which involves a ViewState code injection flaw in the ASP.NET Web Forms framework used by ScreenConnect.
This vulnerability allowed attackers to breach some ConnectWise customers' cloud instances by injecting malicious code remotely. The attackers used this method to gain stealthy, persistent remote access by abusing legitimate ScreenConnect software. The attack method, known as "living-off-the-land," involves exploiting trusted software's inherent capabilities to evade detection and maintain control over compromised systems.
A significant part of the threat campaign involved malicious droppers signed with valid ConnectWise digital certificates, enabling malware to bypass many security controls by appearing as legitimate software. The attackers used modified ScreenConnect clients with altered hidden settings—such as changing the installer title to "Windows Update" and adding fake update visuals—to trick victims into installing malware that grants remote access.
In response, ConnectWise has accelerated planned security enhancements, including rotating and updating code signing certificates for ScreenConnect, Automate, and RMM products. On-premises customers were required to update their software by June 13, 2025, to mitigate risks related to certificate misuse and remote access vulnerabilities. The company has revoked certificates involved in malicious activity and continues to support customers through these remediation efforts.
The role of ASP.NET Web Forms is critical as the CVE-2025-3935 vulnerability lies within its ViewState functionality, which was exploited to inject malicious code remotely on vulnerable ScreenConnect instances. This exploitation highlights the risks of legacy application frameworks and the need for robust patching and configuration management in remote access solutions.
ConnectWise has issued a security advisory and notified all affected customers. Law enforcement has also been alerted to the attack. No further suspicious activity has been observed in ScreenConnect cloud instances since the patch was installed.
In the past, ConnectWise has been targeted by hackers who exploited vulnerabilities in its software. However, this latest incident marks a significant escalation in the level of threat, with the involvement of a suspected nation-state actor. ConnectWise remains committed to ensuring the security of its customers' data and is actively working to contain the threat and prevent further exploitation.
Sources: [1] ConnectWise Security Advisory: https://www.connectwise.com/security-bulletins/ [2] Mandiant Statement on ConnectWise Investigation: https://www.mandiant.com/resources/connectwise-statement [3] TechCrunch: https://techcrunch.com/2025/06/01/connectwise-investigates-nation-state-attack-on-screenconnect/ [4] ZDNet: https://www.zdnet.com/article/connectwise-screenconnect-patches-critical-vulnerability-amid-nation-state-attack-investigation/
- The investigation into the suspected nation-state attack on ConnectWise's ScreenConnect platform has revealed a critical vulnerability, CVE-2025-3935, that allows for remote code injection using the ASP.NET Web Forms framework.
- The exploitation of this vulnerability has been used by attackers to infiltrate some ConnectWise customers' cloud instances, abusing the trusted ScreenConnect software for stealthy, persistent remote access.
- As a response to this incident, ConnectWise has accelerated security enhancements for its ScreenConnect, Automate, and RMM products, including the rotation and updating of code signing certificates, and requires on-premises customers to update their software by June 13, 2025, to mitigate risks related to certificate misuse and remote access vulnerabilities.
