ConnectWise Breach - ScreenConnect Hit by Nation State Hackers

incident overview

On May 28, 2025, ConnectWise disclosed that a “sophisticated nation state actor” had gained unauthorized access to its ScreenConnect cloud environment, compromising a small subset of customer instances. Rather than a sprawling outbreak, the intrusion appears tightly scoped.

ConnectWise immediately enlisted Mandiant to lead a forensic investigation, notified all impacted customers, and partnered with law enforcement to contain any further damage. (ConnectWise)

Despite the alarming attribution, ConnectWise reports no evidence of ongoing suspicious activity in either cloud or on-premises deployments. The vendor has rolled out enhanced monitoring and hardening measures across its fleet, emphasizing that “the security of our services is paramount.”

timeline and attribution

According to ConnectWise’s advisory, the breach was first detected in late May 2025 when abnormal patterns surfaced in ScreenConnect logs.

The investigation linked the activity to techniques and infrastructure commonly associated with a nation-state, although the advisory stops short of naming a specific government. The incident overlapped briefly with Microsoft’s discovery of ASP.NET ViewState weaknesses, but there’s no indication the same exploit was used here.

Upon confirmation, ConnectWise triggered its incident response playbook: engaging Mandiant for root-cause analysis, alerting affected partners within 24 hours, and coordinating with U.S. law enforcement. Public communications have remained limited to protect investigative integrity, with a promise of additional updates as the review progresses.

impact on MSPs and customers

Only “a very small number” of ScreenConnect customers experienced direct impact, according to the vendor. Those customers underwent targeted outreach to reset credentials, verify configuration integrity, and apply bespoke remediation steps. No data exfiltration scope has been publicly detailed; however, industry observers warn that even limited leaks of privileged access or API keys could potentially cascade across managed endpoints.

Beyond the directly affected tenants, the breach sent ripples through the MSP community. ScreenConnect, used by thousands of service providers for remote support and automation, is a prime pivot point for attackers seeking to gain lateral movement into customer networks. As ConnectWise hardens its controls, MSPs now face the urgent task of validating their own defenses around the ScreenConnect integration.

revised mitigation measures (with a critical eye)

ConnectWise claims it has added real-time monitoring, tightened role-based access controls, and enforced multi-factor authentication (MFA) for admin logins; however, details are …scarce.

The advisory notes that enhanced SIEM rules and network segmentation went live in late May; however, there is still no public list of IOCs for the handful of impacted tenants to scan against. Without those hashes, IPs, or domains, affected customers can’t verify whether they’ve actually kicked the intruder out.

On the cloud side, ConnectWise touts automatic patching and “additional MFA requirements,” but stops short of clarifying which user roles or API endpoints were vulnerable in the first place. For on-prem clients, the push to upgrade to ScreenConnect 25.2.4 is appropriate, but again, there’s no breakdown of exactly what code change or CVE fixes were delivered in that release.

Hard truths for MSPs and their customers:

• Ask for indicators. Demand ConnectWise share IOC feeds (file hashes, C2 domains, log signatures) so you can hunt retroactively.

• Verify fixes. Don’t assume “latest version” equals “fixed version”; test in a controlled environment and review changelogs for exploited components.

• Insist on transparency. Small-scale breaches can still seed larger supply-chain attacks; without clear forensics, your own risk posture remains guesswork.

takeaways and recommendations

1. Audit privileged interfaces. MSPs should review all integrations with vendor platforms, especially those that expose remote control, to ensure strong multi-factor authentication (MFA), least-privilege roles, and periodic credential rotations.

2. Monitor for unusual behavior. Implement baseline profiling for remote-support tools. Any spikes in session creation, lateral RDP/SSH tunneling, or bulk file transfers warrant immediate investigation.

3. Patch and upgrade. Stay current with vendor advisories. On-premises ScreenConnect servers must follow the documented upgrade path to 25.2.4, while cloud tenants benefit from ConnectWise’s built-in hardening.

Nation-state actors are probing the tools MSPs rely on to defend their clients. Diligent hardening, proactive detection, and close vendor collaboration remain the best deterrents against these supply-chain assaults.