ConnectWise ScreenConnect Vulnerability Exploited: CISA

The ConnectWise ScreenConnect vulnerability, which earlier this year was identified as a potential way for threat actors to perform ViewState code injection attacks, is now being exploited, according to the U.S. government’s Cybersecurity and Infrastructure Security Agency, or CISA.

Panorama of night city skyline with immersive data protection interface with padlock, fingerprint and shield. Concept of cybersecurity and biometric scanning

The Cybersecurity and Infrastructure Security Agency warned that hackers are exploiting the ConnectWise ScreenConnect vulnerability, which could allow a ViewState code injection attack.

CISA, the U.S. Federal agency within the Department of Homeland Security which coordinates critical infrastructure security and resilience, on Monday added the vulnerability, with tracking code CVE-2025-3935, to its Known Exploited Vulnerabilities Catalog.

CISA on Monday wrote, “ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.”

[Related: ConnectWise ScreenConnect Vulnerabilities: 5 Things To Know]

Microsoft defines ViewState as the method that ASP.NET Web Forms preserve page and control state between postbacks. ViewState data is hidden and encoded via Base64-encoding requiring two keys, a ValidationKey and DecryptionKey to access. A ViewState code injection attack happens when a threat actor leverages a publicly-known machine key to load malicious code.

ConnectWise last week confirmed that it suffered a recent cyberattack that led to unauthorized access of its ScreenConnect cloud infrastructure.

Tampa, Florida-based ConnectWise declined to discuss the new ScreenConnect vulnerability listing CISA posted on Monday, but instead referred CRN to its May 28 security event advisory, which read:

“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers. We have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all affected customers and are coordinating with law enforcement. As part of our work with Mandiant, we implemented enhanced monitoring and hardening measures across our environment. We have not observed any further suspicious activity in any customer instances. The security of our services is paramount to us, and we are closely monitoring the situation and will share additional information as we are able.”

In that May 28 advisory, ConnectWise wrote that only a very small number of customers impacted, and that it has already reached out to all of those customers.

ConnectWise Tuesday emailed CRN an update which read, “Our investigation is ongoing. However, we have not observed further suspicious activity in ScreenConnect cloud instances since the patch was installed.”

Suspicious activity related to the ScreenConnect vulnerability has been tied to a nation-state threat actor that is known for intelligence collection, and is not a ransomware attack, the company wrote.

“We are currently focused on ensuring that the impact to partners and partner-facing systems is identified and remediated. The patch that we issued and the additional monitoring we put in place addresses the previously mentioned activity. Our investigation is ongoing, and we will share additional information as we are able,” the company wrote.

The ScreenConnect vulnerability was first reported late last year by Microsoft Threat Intelligence. Microsoft found that publicly accessible keys, which required a user to have privileged system-level access to obtain, were being utilized to perform malicious actions on servers generally.

MSPs were first notified of the vulnerabilities on February 19, and were given instructions to update on-premises servers immediately.