ConnectWise has brought in the big guns to investigate a “sophisticated nation state actor” that broke into its IT environment and then breached some of its customers.

In a May 28 advisory, the IT management software vendor said the compromise “affected a very small number” of its customers who use ScreenConnect, a remote access and management tool. 

Multiple major brands, including Panasonic, Swarovski, Aflac, and Honeywell, use this product, according to the software provider, so this type of supply-chain attack would not be good for business. 

The Register asked ConnectWise for more details about the breach, including how the intruders gained initial access to its systems, how many customers’ instances they then broke into, and what they did — deploy ransomware? Steal data? We will update this story if we receive a response.

In its May 28 alert, ConnectWise said it hired Google-owned cleanup crew Mandiant to investigate the security breach.

“We have launched an investigation with one of the leading forensic experts, Mandiant,” the advisory said. “We have contacted all affected customers and are coordinating with law enforcement.”

The vendor added that it has since boosted monitoring and hardened security across its environment, and has “not observed any further suspicious activity in any customer instances.”

One “pissed off” person claiming to be a ScreenConnect customer whose instance was compromised took to Reddit to vent. They said they received a “cryptic message” from a ConnectWise sales manager notifying them of the breach, and indicated it occurred in November 2024. They also said the FBI was investigating.

The Register reached out to the FBI, but the agency declined to comment or confirm an investigation.

While ConnectWise has not connected a specific vulnerability to the nation-state breach, in April, the vendor disclosed and patched CVE-2025-3935, which affects ScreenConnect versions prior to 25.2.4. It takes advantage of a deserialization flaw in ASP.NET’s ViewState that could allow remote code execution, but only if an attacker first gains privileged access to extract machine keys.

According to penetration tester Hasan Adib Ara, someone exploited CVE-2025-3935 earlier this month to hijack his client’s programmable logic controller (PLC) programming stations.

“By dawn, we’d isolated the breach — but the incident underscores why this flaw demands urgent attention,” Ara wrote on LinkedIn. This flaw “terrifies” him, Ara added.

“In industrial settings, ScreenConnect often manages critical HMIs [Human Machine Interfaces] and PLCs,” he said, noting that compromising a single server can give attackers access to critical industrial systems, including production line controls, SCADA systems, and sensitive operational technology networks.

Chinese spies previously exploited critical ScreenConnect bugs to compromise “hundreds” of entities, mostly in the US and Canada, and other miscreants used these security holes to deploy LockBit ransomware.®