IT software provider ConnectWise reported a breach linked to a suspected nation-state actor, affecting a small number of its popular remote IT management tool, ScreenConnect (previously ConnectWise Control). The announcement was made in a brief statement published May 28 on the company’s website.
Used widely by government agencies and enterprises, ScreenConnect has long been a target for cybercriminals due to its deep access into IT systems. Threat actors have exploited past vulnerabilities to launch ransomware attacks and steal sensitive data.
ConnectWise has launched an investigation in partnership with Mandiant, a Google Cloud subsidiary, and says there’s no indication of ongoing malicious activity in customer systems. “We have communicated with all affected customers and are coordinating with law enforcement,” a company spokesperson said. “As part of our work with Mandiant, we patched ScreenConnect and implemented enhanced monitoring and hardening measures.”
According to ConnectWise, the suspicious activity appears to have been isolated to on-premises instances of ScreenConnect. No issues have been detected in cloud-hosted environments since April 24—following the release of version 25.2.4. While open-source reports suggest that CVE-2025-3935, a high-severity remote code execution vulnerability, may have been used in the incident, ConnectWise has not confirmed whether this specific flaw was exploited.
The company urges all customers running on-premises ScreenConnect servers to upgrade immediately to version 25.2.4. Cloud environments have already been secured.
This is not the first time ScreenConnect vulnerabilities have been exploited. In early 2024, ConnectWise patched multiple zero-day vulnerabilities following widespread ransomware campaigns. Those incidents affected both cloud and on-premises systems and highlighted the growing risk of remote access tools being used as entry points for cyberattacks.
This incident underscores the persistent targeting of remote IT management platforms by advanced threat actors. Organizations relying on tools like ScreenConnect should prioritize patch management, endpoint monitoring, and identity protection strategies to reduce their exposure. Staying current on vendor advisories and leveraging endpoint security solutions that can detect abnormal behavior is essential in today’s threat landscape.
