ConnectWise is investigating suspicious activity — likely associated with a nation-state actor — affecting a limited number of customers that use ScreenConnect. 

In a post on its website, ConnectWise said it has notified all affected customers, alerted law enforcement to the attack and retained Mandiant to help with its investigation. 

A company spokesperson added that ConnectWise issued a patch for ScreenConnect, implemented enhanced monitoring and hardening measures across its environment. 

“Our investigation is ongoing,” the spokesperson told Cybersecurity Dive in an emailed statement. “However, we have not observed further suspicious activity in ScreenConnect cloud instances since the patch was installed.”

The patch addressed a high-severity vulnerability, tracked as CVE-2025-3935. ScreenConnect versions 25.2.3 and earlier could be susceptible to a ViewState code injection attack. 

A web application framework called ASP.NET Web Forms use ViewState to preserve page and control state. Data is encoded with Base64 protected by machine keys, according to ConnectWise. 

A compromised machine key can allow an attacker to send a malicious ViewState to a website, allowing the attacker to gain remote code execution on a server.

A Mandiant spokesperson confirmed that the cybersecurity firm is assisting with the forensic response but declined to share any additional information, citing the ongoing investigation.

Hackers have targeted ConnectWise in the past by exploiting vulnerabilities in its software. In February 2024, hackers attempted to deploy LockBit ransomware against vulnerable ScreenConnect instances using a critical authentication bypass vulnerability listed as CVE-2024-1709.