ConnectWise ScreenConnect Breach: How a Nation-State Actor Exploited ASP.NET ViewState Injection

On May 29, 2025, IT management software firm ConnectWise publicly disclosed a cybersecurity breach that sent shockwaves through the managed service provider (MSP) community. A sophisticated nation-state actor had compromised its ScreenConnect remote access platform, exploiting a high-severity vulnerability tracked as CVE-2025-3935. With Bitcoin trading near $105,641 and Ethereum at $2,632, the breach underscored how traditional enterprise security gaps can cascade into the broader digital economy, including cryptocurrency operations that rely on MSP infrastructure for daily operations.

The Exploit Mechanics

The attack leveraged an ASP.NET ViewState code injection vulnerability in ScreenConnect versions 25.2.3 and earlier. The flaw stemmed from unsafe deserialization of ViewState data, a well-known attack vector in the .NET ecosystem. Threat actors who had already gained privileged system-level access to ConnectWise’s infrastructure were able to steal the secret machine keys used by ScreenConnect servers. These machine keys are the cryptographic foundation that ASP.NET uses to sign and validate ViewState payloads, ensuring their integrity between server round trips.

Once the attackers possessed the machine keys, they could craft malicious ViewState payloads that the server would accept as legitimate. These crafted payloads, when processed by the server’s deserialization routines, triggered remote code execution (RCE) on the ScreenConnect server itself. This is a textbook example of an unsafe deserialization attack chain: initial access leads to key theft, which enables payload forging, which results in arbitrary code execution on the target server.

The vulnerability was patched on April 24, 2025, and ConnectWise applied the fix to its cloud-hosted ScreenConnect platforms at screenconnect.com and hostedrmm.com before publicly disclosing the vulnerability. However, sources indicated the initial breach may have occurred as early as August 2024, with ConnectWise only discovering the suspicious activity in May 2025, suggesting a prolonged dwell time of approximately nine months.

Affected Systems

The breach exclusively impacted cloud-hosted ScreenConnect instances, not on-premises deployments. ScreenConnect is widely used by MSPs and IT departments to provide remote access and support to client systems. When an MSP’s remote access tool is compromised, the blast radius extends far beyond the MSP itself, potentially reaching every end client whose systems are managed through the compromised tool.

ConnectWise stated that only a “very small number” of ScreenConnect customers were affected, suggesting the threat actors conducted a targeted operation against specific organizations rather than a broad-based attack. The company engaged Mandiant, one of the leading forensic investigation firms, to conduct a thorough investigation and coordinated with law enforcement agencies. Jason Slagle, President of MSP CNWR, confirmed the targeted nature of the attack.

The Mitigation Strategy

ConnectWise implemented enhanced monitoring across its network and hardened security measures following the discovery. The company patched the underlying CVE-2025-3935 vulnerability and stated that no further suspicious activity had been observed in customer instances. For organizations using ScreenConnect or similar remote access tools, the breach highlights several critical mitigation strategies.

First, organizations must ensure they are running the latest patched versions of all remote access software. CVE-2025-3935 affected ScreenConnect versions 25.2.3 and earlier, meaning any unpatched instance remains vulnerable. Second, MSPs should implement network segmentation to limit the blast radius of a compromised remote access tool. Third, enhanced logging and monitoring of remote access sessions can help detect anomalous behavior early.

Lessons Learned

The ConnectWise breach carries several important lessons for the cybersecurity and cryptocurrency communities. The nine-month dwell time from initial breach in August 2024 to discovery in May 2025 demonstrates that even sophisticated organizations can miss persistent threats. The exploitation of machine keys for ViewState injection shows that attackers are combining traditional web application vulnerabilities with infrastructure-level access to create potent attack chains.

For cryptocurrency businesses that rely on MSPs for IT operations, the breach serves as a reminder that supply chain and third-party risks remain among the most significant threats. A compromised MSP tool could theoretically provide attackers with access to cryptocurrency wallet infrastructure, exchange operations, or custody solutions.

User Action Required

Organizations using ConnectWise ScreenConnect should immediately verify they are running version 25.2.4 or later. MSPs should review their security posture, including implementing multi-factor authentication for all administrative access, conducting thorough audits of remote access logs for the past year, and considering the deployment of additional endpoint detection and response (EDR) solutions on systems that interact with ScreenConnect.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.