IT management software firm Connectwaiz says that a suspected state-propelled cyber attack violated its environment and affected a limited number of screensonist customers.
“Connectwaiz recently learned about suspicious activity within our environment, which we think a sophisticated nation was bound by actor, who influenced a very small number of screensonacconic customers,” Connectwaiz shared in one. Abbreviated advisor,
“We have initiated an investigation with one of the leading forensic experts, mandient. We have approached all affected customers and coordinates with law enforcement.”
Connectwiz is a florida-based software company that provides IT management, RMM (remote monitoring and management), cybercity and automation solutions for managed service providers (MSPs) and IT departments.
One of its products is screensencified, a remote access and support tool that allows technicians to safely connect to the client system for troubleshooting, patching and system maintenance.
As reported earlier commissionThe company now says that it has implemented increased monitoring and has rigid security in its network.
He also says that he has not seen any other suspicious activity in customer examples.
Connectwaiz did not answer BlappingCopper’s questions about how many customers were affected, when the violation was occurred, or whether the scrainyct examples of the customers saw any malicious activity.
However, a formula told bleepingcomputer that the breech was held in August 2024, with the discovery of superstitious activity in connectwaiz May 2025, and it only affects the cloud-based screensonct institute. The bleepingcomputer has not been able to confirm the dates of violation independently.
Jason Slagley, president of the managed service provider CNWR, told Bleepingcomputer that only a very small number of customers were affected, suggesting that the danger actor launched a targeted attack against specific organizations.
One in Redit threadCustomers shared further details, stating that a screenc kept tracked as an incident is associated with vulnerability. Cve-2025-3935Patching on 24 April.
CVE-2025-3935 The defect is a high-serene viewing code injection bug, which is caused by the unprotected deserialization of the Asp.net Viewstate in the screensonic versions of 25.2.3 and earlier.
Actor with danger with privileged system-level access can steal secret machines used by a screenc kept server and use them to craft malicious payloads that trigger remote code execution on the server.
While Connectwaiz did not say that this vulnerability was exploited at the time, it was marked as a “high” priority, indicating that it was either actively exploited or a significant risk of exploitation.
The company also stated that the defect was patted on its cloud-hosting platforms on “screenconnect.com” and “hostedrmm.com”, before it was publicly disclosed to customers.
As Breach impressed only cloud-hosted screnconacct examples, it is possible that the danger actors broke the first connectivity system and stole the keys of the machine.
Using those keys, the attackers can conduct remote code execution on the company’s screnconect server and potential customer can access the environment.
However, it should be noted that Connectwaiz has not confirmed whether it was a violation of the customer’s examples.
Customers who talked to Blapping Copper are disappointed with the lack of agreement (IOCs) indicators and the information shared by Connectwaiz, which was left with very little information about what happened.
Last year, a screenc kept defects tracked as Cve-2024–1709 were exploited by ransomware gangs and a North Korean Apt Hacking Group to run malware.
Bleepingcomputer sent additional questions for connectivity but has not heard back at this time.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
