Vulnerabilities discovered in ScreenConnect by ConnectWise, leading to ongoing malicious exploitation
Corporate stakeholders are growing increasingly concerned about the security of their technology stacks, with the question on everyone's lips: Are we a target? This question has taken on a new urgency with the active exploitation of critical vulnerabilities in ConnectWise ScreenConnect, a widely used remote desktop application for help desks and remote workers.
The Vulnerabilities
The vulnerabilities in question have been identified as CVE-2025-3935, an improper authentication flaw that enables a ViewState code injection attack. If machine keys are compromised, this vulnerability could potentially lead to remote code execution, posing a significant risk.
Affected Versions and Threat Status
The affected versions of ScreenConnect are those prior to 25.2.3. Since early 2025, these vulnerabilities have been actively exploited by threat actors, with attackers using them for post-exploitation activities under the codename "SlashAndGrab."
Patching and Mitigation
To address this issue, ConnectWise has released patches to fix the ViewState code injection and authentication bypass vulnerabilities. Administrators are urged to update ScreenConnect immediately to a version later than 25.2.3 or the latest version as provided by ConnectWise in their security bulletin.
Following the vendor's advice is crucial for mitigating the risk. This includes applying any vendor-recommended mitigations if immediate patching is not possible, such as restricting access to ScreenConnect servers, monitoring for suspicious activity, and following best practices from Binding Operational Directive (BOD) 22-01 regarding cloud services.
Detecting signs of compromise is also essential. Administrators should look for indicators of the "SlashAndGrab" malware and unusual post-exploitation activity as outlined by Huntress threat advisories. Additionally, hardening systems by enforcing strong access controls, multi-factor authentication, and continuous monitoring for unusual remote execution or authentication attempts can help protect against potential threats.
Current Threat Activity
The exploitation of these vulnerabilities has been ongoing since mid-2025, with attackers leveraging this flaw to gain unauthorized access and control over affected systems via the ViewState injection. The exploit is also linked to sophisticated post-exploitation techniques involving credential theft and lateral movement.
Background
Initially, the vulnerabilities were publicly disclosed by other researchers before Huntress released their information. John Hammond, principal security researcher at Huntress, has stated that threat actors are currently expanding their reach for future attacks.
Federal officials are collaborating with the company to comprehend the current threat activity. Eric Goldstein, executive assistant director for cybersecurity at CISA, has acknowledged the reported vulnerability impacting ConnectWise ScreenConnect and is working to understand potential exploitation.
Researchers at Palo Alto Networks have detected over 18,000 unique IP addresses hosting ScreenConnect globally. After a few days of delay, the vulnerabilities in ConnectWise ScreenConnect were assigned CVE-2024-1709 and CVE-2024-17008. Huntress researchers were able to recreate the exploit and attack chain for the vulnerabilities in ConnectWise ScreenConnect.
ConnectWise was initially notified of the vulnerabilities on Feb. 13 through its disclosure channels. In response, the company has urged on-premises partners to immediately upgrade to the latest version of ScreenConnect following reports of suspicious activity.
In light of these developments, it is clear that administrators should urgently implement the ScreenConnect updates following ConnectWise’s security bulletins and monitor systems for attack signatures as detailed by the Huntress incident response reports.
- Given the active exploitation of critical vulnerabilities in ConnectWise ScreenConnect, it's essential for corporations to prioritize incident response strategies, ensuring immediate application of the provided patches or recommended mitigations to safeguard their cybersecurity.
- As cybersecurity threats continue to evolve, it's crucial for administrators to monitor systems diligently, looking for signs of compromise such as the "SlashAndGrab" malware, and strengthen their technology systems through access controls, multi-factor authentication, and continuous monitoring.
