On 28 May 2025, ConnectWise published an advisory disclosing suspicious activity within its environment, attributed to a sophisticated nation-state threat actor known for intelligence collection. The activity reportedly affected a very small number of ScreenConnect customers, all of whom ConnectWise has directly contacted. Details remain limited as the investigation is ongoing.
In a recent update, ConnectWise stated that the activity was isolated to ScreenConnect and that no suspicious activity has been observed in cloud instances since April 24, following the release of ScreenConnect version 25.2.4. Open-source reporting suggests that CVE-2025-3935—a high-severity remote code execution vulnerability—may have been used in this activity. The timing aligns with the observed behavior, and the vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog on June 2, 2025. However, ConnectWise has not explicitly confirmed whether CVE-2025-3935 was leveraged in this compromise.
ConnectWise has recommended that on-premise ScreenConnect instances be upgraded to version 25.2.4. The issue has already been resolved in cloud environments.
ScreenConnect vulnerabilities remain attractive targets for threat actors. Last year, two zero-day vulnerabilities in ScreenConnect were exploited in widespread ransomware campaigns.
Recommendations
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| ScreenConnect (On-Prem) | Versions prior to 25.2.4 | 25.2.4 and later |
- For ScreenConnect Cloud customers, no action is required. ScreenConnect servers hosted in “http://screenconnect.com ” cloud (standalone and Automate/RMM integrated) or “hostedrmm.com” for Automate partners have been updated to remediate the issue.
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
References
