And while I mentioned it last week, a bit more detail.
ConnectWise has confirmed it was the target of a cyber-attack by a nation-state threat actor, affecting a very small number of its ScreenConnect customers. The company announced that it has patched the software and implemented enhanced monitoring and hardening measures to secure its environment. This incident comes shortly before the annual IT Nation Secure conference and follows prior vulnerabilities found in ScreenConnect, which were patched in February 2024. Will Thomas, a Senior Threat Intelligence Advisor at Team Cymru, noted that remote monitoring management tools are increasingly targeted, with Russian and Chinese intelligence services implicated in recent breaches of similar software. ConnectWise is currently collaborating with Google Cloud-owned Company, for an investigation and has communicated with all affected customers.
The activity was isolated to the ScreenConnect product, and since the implementation of a security patch on April 24, ConnectWise has not observed further suspicious activity.
Why do we care?
ConnectWise’s disclosure of a nation-state cyberattack targeting ScreenConnect adds to a growing body of evidence: Remote Monitoring and Management (RMM) tools are now top-tier targets for advanced threat actors. While ConnectWise frames the impact as minimal, the optics are troubling—especially with prior vulnerabilities disclosed just months earlier and the breach surfacing days before their security-focused event.
This isn’t just ConnectWise’s problem—it’s a channel-wide wake-up call. RMM tools are now critical infrastructure in the eyes of hostile foreign actors. If you’re not rethinking your architecture, your vendor stack, and your client communications, you’re exposed—technically and reputationally. The providers who take this seriously and act transparently will be the ones still standing when the next breach hits.