ConnectWise Hit by Cyberattack Linked to Nation-State Hacker

IT software company ConnectWise has confirmed it was the target of a cyberattack by what it believes is a highly skilled nation-state hacker.

The breach was discovered in May 2025 and affected a small number of customers using its ScreenConnect cloud platform, a popular tool for remote IT support and maintenance.

ConnectWise said it quickly took action by bringing in cybersecurity experts from Mandiant, informing affected customers, and working with law enforcement agencies. The company has since strengthened its security systems and reported no further suspicious activity in its customers' systems.

The attackers are believed to have taken advantage of a serious flaw in ScreenConnect, listed as CVE-2025-3935. This vulnerability, rated 8.1 out of 10 in severity, allowed hackers with high-level access to run unauthorized code on systems. The flaw involves unsafe handling of certain data in the ASP.NET framework, which opened the door for remote code execution.

Although ConnectWise has not officially confirmed how the hackers got in, cybersecurity experts believe the attackers may have stolen machine keys from the cloud platform. These keys could have helped them create fake access tokens and break into customer systems.

The company says it has now patched the vulnerability and is closely monitoring its systems to ensure customer safety.