Alert Essentials:

Remote Access tool ScreenConnect versions 25.2.3 and earlier are vulnerable to a Viewstate code Injection, resulting in system compromise. To orchestrate a successful exploit, the attacker must obtain machine keys for Viewstate.

Further information on the breach will be released shortly, as an investigation is currently underway.

Email Team

Detailed Threat Description:

CVE-2025-3935 is a high-severity vulnerability that exposed ScreenConnect versions 25.2.3 and earlier to Viewstate code injection attacks and execution of arbitrary code on the server.

ConnectWise confirmed the use of the injection in a cloud infrastructure cyberattack in May 2025.

A widely praised tool, ScreenConnect (formerly ConnectWise Control), is a self-hosted remote desktop software application. It is an application often highly regarded for its fast, flexible, and secure remote desktop and mobile support features.

But it has emerged as a popular choice for attackers. The Cofense Intelligence Team references the ConnectWise Remote Access Tool (RAT) as the most abused legitimate remote access tool in their May 2025 report.

It’s easy to understand this ranking if we examine the flaws that have been revealed over the last two years. A high-severity weakness from 2023, which failed to validate user-supplied parameters, is still being disputed by ConnectWise, as indicated by CVE-2023-25719.

In late 2023 and early 2024, ScreenConnect (formerly ConnectWise Control) was exploited in a wave of ransomware attacks by both cybercrime and nation-state threat actors. The breach stemmed from two critical vulnerabilities: CVE-2024-1708 and CVE-2024-1709, with the latter being an authentication bypass flaw that allowed adversaries to gain SYSTEM-level access. Attackers from China, North Korea, and Russia used these vulnerabilities to deliver a variety of malicious payloads.

Again, in May of 2025, ConnectWise learned of suspicious activity in its environment. This time, it is suspected that the intrusion impacted a minimal number of customers. Various researchers state the latest offense likely occurred in November 2024.

ConnectWise patched CVE-2025-3935 in April 2025, following Microsoft’s observation that the flaw was being exploited in the wild.

Cloud instances have been upgraded, and ConnectWise is currently collaborating with Mandiant on an investigation into the unusual activity. The history of attacks on this popular tool underscores the importance of defenders remaining vigilant and keeping software up to date. Verify the organization is using version 25.2.4; if not, update immediately.

Impacts on Healthcare Organizations:

Viewstate code injection in ScreenConnect poses significant risks to healthcare organizations, particularly those that rely on remote access tools for clinical and administrative operations.

Businesses should upgrade to the latest version of ScreenConnect and monitor developing events surrounding CVE-2025-3935.

Affected Products / Versions

CVEs

  • CVE-2025-3935 – CWE-287 – CVSS 8.1
  • CVE-2024-1708 – CWE-22 – CVSS 8.4
  • CVE-2024-1709 – CWE-288 – CVSS 10
  • CVE-2023-25719 – CWE-74 – CVSS 8.8

Engineering Recommendations:

  • Isolate or decommission legacy or unpatched systems, especially those exposed to the internet
  • The patch in version 25.2.4 disables Viewstate entirely, removing the attack vector
  • Verify the organization is using version 25.2.4 of ScreenConnect
  • Backported patches for versions as old as 23.9 have been released
  • If your environment was potentially exposed, rotate your ASP.NET machine keys to invalidate any compromised Viewstate tokens
  • Ensure machine keys are stored securely, as they are required for this exploit to be successful
  • Limit administrative access to ScreenConnect servers
  • Use multi-factor authentication (MFA) and network segmentation to reduce lateral movement
  • Watch for suspicious Viewstate payloads or unexpected outbound traffic from ScreenConnect servers
  • Use endpoint detection and response (EDR) tools to flag anomalous behavior
  • Tenable Nessus plugins are not yet available for scanning environments

Leadership Recommendations:

  • There is a risk of complete system compromise if this flaw is exploited
  • Monitor this developing situation for ongoing investigation findings
  • Invest in secure software lifecycle practices and vendor risk management
  • Perform tabletop exercises simulating supply chain and remote access tool compromises to better prepare the team for action during an attack

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: