The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about active exploitation of **CVE-2025-3935**, a critical **ConnectWise ScreenConnect vulnerability** enabling **ViewState code injection attacks**. While suspected to be leveraged in a **state-backed cyber intrusion**, ConnectWise acknowledged only a **limited number of affected customers**, avoiding confirmation of the attack’s origin. The flaw allows unauthorized remote code execution, potentially granting attackers full system control, data exfiltration, or lateral movement within compromised networks. Though no large-scale data breaches or operational disruptions were publicly confirmed, the vulnerability’s exploitation poses severe risks—including **unauthorized access to sensitive corporate or client data**, **disruption of remote monitoring/management services**, or **deployment of secondary payloads** (e.g., ransomware or spyware). CISA’s inclusion of the flaw in its **Known Exploited Vulnerabilities (KEV) catalog** underscores its criticality, mandating urgent patching by June 23. The incident highlights the persistent threat of **nation-state actors** targeting widely used enterprise software to infiltrate supply chains, with potential cascading effects on dependent organizations.
Source: https://www.scworld.com/brief/cisa-attacks-involving-connectwise-screenconnect-bug-underway
TPRM report: https://www.rankiteo.com/company/connectwise
"id": "con2251822112925",
"linkid": "connectwise",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Limited number (per ConnectWise '
'statement)',
'industry': 'IT Management/Remote Monitoring',
'name': 'ConnectWise',
'type': 'Software Provider'},
{'industry': 'Multiple (Consumers/Enterprises)',
'name': 'Asus Router Users',
'type': 'Hardware/Networking'},
{'industry': 'Web Content Management',
'name': 'Craft CMS Users',
'type': 'Software'}],
'attack_vector': ['ViewState Code Injection (CVE-2025-3935)',
'Authentication Bypass (CVE-2021-32030, CVE-2023-39780)',
'OS Injection (CVE-2023-39780)'],
'customer_advisories': ['Patch immediately for ScreenConnect users',
'Check for Asus router compromises'],
'description': 'Organizations have been warned by the Cybersecurity and '
'Infrastructure Security Agency (CISA) regarding ongoing '
'intrusions exploiting the recently addressed ConnectWise '
'ScreenConnect vulnerability (CVE-2025-3935), which could be '
'leveraged in ViewState code injection attacks. The flaw is '
'suspected to have been harnessed in a suspected state-backed '
'attack against the remote monitoring and management (RMM) '
'software provider. ConnectWise has not acknowledged the claim '
'but stated that a limited number of its customers were '
'affected. CISA also added four other vulnerabilities to its '
'Known Exploited Vulnerabilities (KEV) list, including '
'critical flaws in Asus routers (CVE-2021-32030, '
'CVE-2023-39780) and Craft CMS (CVE-2024-56145, '
'CVE-2025-35939). Attacks combining CVE-2023-39780 with other '
'authentication bypass issues were reported by GreyNoise to '
'have facilitated the creation of the AyySSHush botnet. '
'Remediation for all KEV entries is mandated by June 23, 2025.',
'impact': {'brand_reputation_impact': ['Potential reputational damage to '
'ConnectWise and affected vendors'],
'operational_impact': ['Potential RMM software disruption',
'Botnet propagation (AyySSHush)'],
'systems_affected': ['ConnectWise ScreenConnect (Limited '
'Customers)',
'Asus Routers',
'Craft CMS']},
'initial_access_broker': {'entry_point': ['ConnectWise ScreenConnect '
'(CVE-2025-3935)',
'Asus Routers (CVE-2023-39780)'],
'high_value_targets': ['RMM Software Providers '
'(Suspected)',
'Router Networks '
'(AyySSHush)']},
'investigation_status': 'Ongoing (CISA/ConnectWise)',
'motivation': ['Espionage (Suspected)', 'Botnet Expansion (AyySSHush)'],
'post_incident_analysis': {'corrective_actions': ['Enforce CISA KEV '
'remediation deadlines.',
'Enhance monitoring for '
'ViewState injection and '
'authentication bypass '
'attempts.',
'Conduct third-party audits '
'of RMM software security.'],
'root_causes': ['Unpatched vulnerabilities in '
'widely used software '
'(ScreenConnect, Asus routers, '
'Craft CMS).',
'Potential state-backed '
'exploitation of RMM tools for '
'supply-chain attacks.']},
'recommendations': ['Immediate patching of ConnectWise ScreenConnect '
'(CVE-2025-3935) for RMM users.',
'Remediation of Asus router vulnerabilities '
'(CVE-2021-32030, CVE-2023-39780) to prevent botnet '
'exploitation (AyySSHush).',
'Update Craft CMS installations to address CVE-2024-56145 '
'and CVE-2025-35939.',
'Monitor for state-backed threat activity targeting RMM '
'software.',
'Implement network segmentation to limit lateral movement '
'in case of exploitation.'],
'references': [{'source': 'BleepingComputer'},
{'source': 'CISA Known Exploited Vulnerabilities Catalog',
'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog'},
{'source': 'GreyNoise (AyySSHush Botnet Report)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV Catalog '
'Update (Mandatory '
'Remediation by June '
'23, 2025)']},
'response': {'communication_strategy': ['CISA advisory',
'ConnectWise customer notification '
'(limited impact)'],
'containment_measures': ['CISA KEV listing (remediation '
'deadline: June 23, 2025)'],
'remediation_measures': ['Patch deployment for CVE-2025-3935 '
'(ConnectWise)',
'Vendor advisories for Asus/Craft CMS']},
'stakeholder_advisories': ['CISA Alert', 'ConnectWise Customer Notification'],
'threat_actor': ['Suspected State-Backed Actor (Unconfirmed)'],
'title': 'Ongoing Intrusions Exploiting ConnectWise ScreenConnect '
'Vulnerability (CVE-2025-3935) and Related KEV Additions by CISA',
'type': ['Vulnerability Exploitation',
'State-Backed Attack (Suspected)',
'Botnet Creation (AyySSHush)'],
'vulnerability_exploited': [{'cve_id': 'CVE-2025-3935',
'description': 'ViewState code injection '
'vulnerability in remote '
'monitoring and management (RMM) '
'software.',
'severity': 'Critical (Suspected)',
'software': 'ConnectWise ScreenConnect'},
{'cve_id': 'CVE-2021-32030',
'description': 'Authentication bypass flaw.',
'severity': 'Critical',
'software': 'Asus Routers'},
{'cve_id': 'CVE-2023-39780',
'description': 'OS injection bug; exploited in '
'combination with other flaws to '
'create AyySSHush botnet.',
'severity': 'High',
'software': 'Asus Routers'},
{'cve_id': 'CVE-2024-56145',
'severity': 'Critical',
'software': 'Craft CMS'},
{'cve_id': 'CVE-2025-35939',
'severity': 'Medium',
'software': 'Craft CMS'}]}