In May 2025, ConnectWise, a major provider of IT automation and remote access tools, publicly confirmed a targeted cyberattack against its cloud-hosted ScreenConnect infrastructure. The attack has been attributed to an advanced persistent threat (APT) group, likely affiliated with a nation-state, based on tactics, techniques, and procedures (TTPs) observed.
The breach impacted a subset of customers using ScreenConnect Cloud, a platform commonly integrated into Managed Service Provider (MSP) ecosystems, making it a high-value target due to its widespread deployment and privileged access capabilities.
📌 Vulnerability Exploited: CVE-2025-3935
🧩 Technical Details
- Vulnerability Type: ASP.NET ViewState Injection
- CWE: CWE-502 – Deserialization of Untrusted Data
- CVSS Score: 8.1 (High)
- Exploit Vector: Remote, unauthenticated
- Description: Attackers exploited an unsafe deserialization flaw within ScreenConnect’s web interface. Specifically, the .NET ViewState mechanism was improperly configured, allowing crafted malicious payloads to be injected and executed on the server side. ViewState typically helps maintain state across HTTP requests. When it’s not MAC-protected (via
ViewStateUserKeyorMachineKey), attackers can:- Forge ViewState objects
- Execute arbitrary .NET code
- Establish remote control, even within sandboxed environments
🎯 Tactics, Techniques & Procedures (TTPs)
🧑💻 Threat Actor Profile
- Attribution: Likely linked to a nation-state group (exact country undisclosed)
- Objectives: Espionage, credential harvesting, potential for disruptive access
- Behavioral Traits:
- Use of living-off-the-land binaries (LOLBins) for stealth
- Custom malware deployed in memory
- Obfuscated PowerShell scripts for beaconing
- Dynamic C2 infrastructure that mimics Microsoft cloud endpoints
🧩 ConnectWise Response
✅ Immediate Actions
- Partnered with Mandiant for forensic investigation
- Notified affected clients individually
- Isolated compromised infrastructure
- Rotated internal secrets and encryption keys
- Rolled out updated cloud-side policies for:
- Hardened ViewState security
- Enhanced anomaly detection
- Application firewall tuning
🔐 Security Enhancements
- Implementation of HMAC-signed ViewState and
ViewStateEncryptionMode - Enabled machine learning anomaly detection for behavioral shifts in customer logins
- Introduced GeoIP blocking, rate limiting, and strict CORS policies
🔎 Detection & Hunting Guidance
If you are a ScreenConnect administrator or security analyst, look for:
🔍 Indicators of Compromise (IOCs)
- Unusual
__VIEWSTATEsize and content - Unexpected child processes spawned by
w3wp.exe - Modified files under
C:\Program Files (x86)\ScreenConnect\ - Outbound traffic to rare or newly registered domains
- ASPX files created post-install in IIS root directories
🔧 Suggested Hunting Queries (ELK/Splunk)
index=web_logs sourcetype=aspnet | where viewstate_length > 2000 | search "__VIEWSTATE" AND "MacValidation=false"
📘 Lessons Learned & Strategic Takeaways
- Legacy .NET Risks Are Not Dead
ViewState is often ignored in modern app audits, yet still widely used. Legacy frameworks like ASP.NET Web Forms can carry high-risk baggage. - MSP Platforms Are High-Value Targets
Any tool used to remotely manage endpoints is a gateway into hundreds or thousands of networks. This calls for zero trust enforcement even within MSP tooling environments. - Deserialization = Privilege Escalation + Persistence
Once serialized payloads are accepted by the server, all bets are off. This reinforces the need for input validation and code review of custom serialization logic. - Patch Velocity Saves Reputations
ConnectWise moved quickly compared to past incidents—this likely limited broader damage. Their cloud-first mitigation strategy demonstrates how DevSecOps maturity matters.
