One ASP.NET Bug – and Foreign Intelligence Hacked ConnectWise’s Cloud
ConnectWise, a major provider of IT infrastructure management software, has disclosed a nation-state cyberattack that compromised its ScreenConnect cloud service, used for remote access and technical support. The company claims only a "limited number" of customers were affected, but the breach may have gone undetected for nearly 10 months.
Key Details of the Attack
- Attackers: Likely a state-sponsored hacking group (ConnectWise avoids naming the country).
- Initial Breach: Possibly as early as August 2024—discovered only in May 2025.
- Exploited Vulnerability: Suspected to be CVE-2025-3935 (critical ASP.NET flaw in ViewState deserialization).
- Allows remote code execution (RCE) if attackers obtain machine keys.
- Patched by Microsoft in April 2025, but some systems remained exposed.
- Target: Only cloud-hosted ScreenConnect instances (screenconnect.com, hostedrmm.com).
How the Hack Unfolded
- Initial Access: Attackers likely stole encryption keys or exploited misconfigurations.
- Lateral Movement: Used server-side code execution to infiltrate customer environments.
- Persistence: Remained undetected for months—possibly exfiltrating data or deploying malware.
- Discovery: Unusual activity flagged in May 2025, prompting an investigation.
Why This Matters
- ScreenConnect is a high-value target—used by MSPs (managed service providers) to control client systems.
- Same product was hacked in 2024 via CVE-2024-1709 (exploited by ransomware gangs and North Korean hackers).
- Lack of transparency: ConnectWise hasn’t shared IoCs (Indicators of Compromise) or confirmed if data was stolen.
What Customers Should Do
- Assume breach: Check logs for unusual remote sessions (especially between Aug 2024 – May 2025).
- Rotate credentials: All passwords, API keys, and certificates linked to ScreenConnect.
- Audit remote access: Look for unauthorized changes or new admin accounts.
- Demand answers: Push ConnectWise for detailed forensic reports.
The Bigger Problem
This is yet another case of "silent breaches"—where attackers lurk undetected for months, even in critical remote-access tools. If a nation-state was behind this, the real damage may still be unfolding.Lesson learned? If you relied on ScreenConnect’s cloud, it’s time to assume you were a target.