The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned users about a high-severity vulnerability impacting ConnectWise ScreenConnect, tracked as CVE-2025-3935. Successful exploitation of the vulnerabilities could allow an attacker to execute arbitrary code remotely or directly impact confidential data, leading to complete system compromise.
CISA acknowledged the active exploitation of the vulnerability by adding to its Known Exploited Vulnerabilities Catalog, urging users to patch before June 23, 2025. ConnectWise mentioned in the advisory, “ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation-state actor, which affected a minimal number of ScreenConnect customers. We have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all affected customers and are coordinating with law enforcement. As part of our work with Mandiant, we implemented enhanced environmental monitoring and hardening measures. We have not observed any further suspicious activity in any customer instances. The security of our services is paramount to us, and we are closely monitoring the situation and will share additional information as we are able.”
ConnectWise ScreenConnect is a self-hosted, secure remote support, access, and meeting solution. It allows technicians to remotely access and control devices for troubleshooting and support and facilitates online meetings and collaboration.
The Vulnerability
ConnectWise ScreenConnect is vulnerable to a ViewState code injection attack.ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. An attacker must get privileged system-level access to obtain these machine keys. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.
Affected Versions
The vulnerability affects ConnectWise ScreenConnect versions before 25.2.3.
Mitigation
Users must upgrade to the ConnectWise ScreenConnect 25.2.4 or later to patch the vulnerability.
For more information, please refer to the ConnectWise ScreenConnect security advisory.
Qualys Detection
Qualys customers can scan their devices with QIDs 383325 and 530168 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4
