ConnectWise, a major provider of remote monitoring software, has confirmed a security breach linked to a suspected state-sponsored cyberattack. The breach affected customers using its ScreenConnect tool and has prompted urgent investigation and patching efforts amid concerns about a high-severity vulnerability.
The attack, which targeted its widely used ScreenConnect tool, has raised alarms across the global IT ecosystem as security experts investigate whether a known high-severity vulnerability was exploited.
The company disclosed the incident via a brief security advisory, noting that only a “very small number” of customers were directly affected. However, ConnectWise acknowledged the incident involved “suspicious activity tied to a nation-state actor”, prompting coordination with Mandiant, a top-tier cybersecurity forensics firm, and law enforcement agencies.
CVE-2025-3935: A Dangerous ViewState Vulnerability
Though the initial advisory made no mention of a patch or technical flaw, ConnectWise later admitted the breach may be linked to CVE-2025-3935, a critical authentication vulnerability in ScreenConnect’s ViewState code injection mechanism. ViewState is a feature of ASP.NET used to preserve page state and secure data transfer on web forms. However, if attackers gain access to ASP.NET machine keys, they can execute malicious code on servers.
ALSO READ: FCRF Launches Campus Ambassador Program to Empower India’s Next-Gen Cyber Defenders
ConnectWise stated it had issued a patch disabling ViewState and applied enhanced monitoring and hardening measures. Microsoft previously warned that more than 3,000 such keys had been exposed online. In one reported case, a threat actor used a compromised key in December to trigger a ViewState-based code injection attack.
Nation-State Links: Godzilla and Global Espionage
Security researchers have tied the ViewState exploit to the Godzilla post-exploitation framework, which has been previously linked to China-based state-sponsored groups. The same framework was seen in ransomware and espionage campaigns in 2024.
ConnectWise, along with other RMM vendors, has increasingly become a lucrative target for hackers due to the privileged access their tools provide to enterprise IT environments. Earlier this year, two other vulnerabilities in ScreenConnect (CVE-2024-1708 and CVE-2024-1709) were also exploited by actors suspected to be from North Korea, highlighting the platform’s appeal to global cyber-espionage campaigns.
Industry-Wide Threat: RMM Tools in the Crosshairs
The breach has once again highlighted the risks of “living off the land” attacks, where cybercriminals abuse legitimate software tools to blend in with normal operations. Groups like LockBit have also used RMM platforms like ScreenConnect for lateral movement and persistence within victim environments.
While ConnectWise says it has seen no further suspicious activity since implementing the patch, cybersecurity experts warn that more attacks could be brewing, especially from actors seeking to exploit delayed patching or misconfigurations in enterprise setups.