ConnectWise, a leading IT management software provider, confirmed a cyberattack targeting its ScreenConnect remote access tool in May 2025. The breach, attributed to suspected nation-state actors, exploited a critical vulnerability (CVE-2025-3935) to compromise high-value targets, including managed service providers (MSPs) and government agencies1. Forensic analysis by Mandiant linked the attack to Chinese (UNC5174) and Russian (Sandworm/APT44) threat groups based on tactics, techniques, and procedures (TTPs)2.
Technical Breakdown of the Attack
The attackers exploited CVE-2025-3935, a CVSS 9.8-rated authentication bypass flaw in ScreenConnect versions ≤25.2.3, to achieve remote code execution (RCE). Initial access involved unpatched instances, followed by deployment of Cobalt Strike beacons for command-and-control (C2). Lateral movement leveraged ScreenConnect’s privileged access, with registry modifications (HKLM\SOFTWARE\ScreenConnect) and scheduled tasks ensuring persistence3. Evidence suggests data exfiltration and attempted ransomware deployment, likely LockBit 4.0, mirroring prior ScreenConnect exploitation patterns4.
Mitigation and Response
ConnectWise released urgent patches (version 25.2.4) and published indicators of compromise (IOCs), including malicious IPs (185.143.223[.]67, 45.61.147[.]220) and file hashes5. Recommendations include enforcing multi-factor authentication (MFA), IP whitelisting, and auditing permissions to remove excessive privileges. Detection strategies should focus on anomalous process chains (e.g., sc.exe spawning cmd.exe) and bulk file transfers6.
Broader Implications
ScreenConnect’s central role in IT management makes it a recurring target for advanced threats. The incident underscores the risk of MSP compromises cascading to downstream clients, a tactic previously observed in attacks against U.S. defense networks7. Nation-state involvement aligns with broader trends, including Russian APT focus on critical infrastructure and Chinese espionage campaigns targeting geopolitical rivals8.
Conclusion
This breach highlights the need for proactive patch management and hardened configurations in remote access tools. Organizations using ScreenConnect should prioritize the latest updates and monitor for IOCs. The incident also reinforces the importance of threat intelligence sharing to counter state-sponsored cyber threats.
References
- ConnectWise Advisory (Official Patch Notes).
- Mandiant Report on UNC5174.
- CRN.
- TechCrunch.
- Recorded Future.
- Reddit.
- The Hacker News.
- BleepingComputer.
