In 2025, ConnectWise ScreenConnect has emerged as the most abused legitimate remote access tool in cyberattacks, accounting for 56 percent of active threat reports involving such tools. A report from Cofense Intelligence reveals a troubling trend where cybercriminals are hijacking these legitimate tools, typically used by IT professionals, to infiltrate computer systems and deliver harmful programs. The report notes that the popularity of ConnectWise ScreenConnect is surging, with attack volumes in 2025 already matching those from the previous year. Various tactics are being employed by attackers, including spoofing emails from the U.S. Social Security Administration and using fake notifications about shared files to trick victims into installing the tool. Other legitimate remote access tools, such as Atera and FleetDeck, are also being exploited in targeted campaigns, further complicating the cybersecurity landscape.
ConnectWise has confirmed a cyberattack on its ScreenConnect platform, stating that all systems are now secure. The attack raised concerns among IT service providers, as ScreenConnect is widely used for remote access and support. The company took immediate action to mitigate the risks and secure its infrastructure. While specific details regarding the nature of the attack remain limited, ConnectWise emphasized its commitment to safeguarding customer data and restoring trust. The incident reflects a growing trend in cyber threats targeting remote access tools, highlighting the importance of robust cybersecurity measures in the IT service industry.
Why do we care?
Because this is now a pattern, not a one-off. ConnectWise ScreenConnect has become the most abused legitimate remote access tool in cyberattacks in 2025, representing 56% of threat reports involving such tools. For IT service providers, this shifts ScreenConnect from a convenience to a liability—raising hard questions about vendor trust, default configurations, and acceptable risk in remote tooling.
This isn’t just a product issue. It’s an ecosystem issue.
It’s tempting to frame this purely as a failure of cyber hygiene, but that misses deeper, systemic issues:
- Tool misuse is not the same as vulnerability. Even in absence of technical exploits, attackers are simply installing and using tools the way they’re intended to be used—after fooling users or exploiting loose policies.
- Vendors benefit from ubiquity, but don’t shoulder equivalent security risk. When tools like ScreenConnect are misused, MSPs take the reputational hit—even if the software behaved “as designed.”
If remote access is your superpower, it’s also your attack surface. Either secure it with layered, monitorable, and enforceable controls—or expect to see your own name in the next threat report.