ConnectWise ScreenConnect: The MSP Tool That Keeps Getting Hacked (And Why Your IT Provider Won't Tell You)
Your managed service provider just got a wake-up call they probably won't share with you. ConnectWise ScreenConnect, the remote access software that thousands of MSPs use to manage your business systems, has been breached by suspected state-sponsored attackers. But this isn't breaking news—it's a pattern.
For the second time in just over a year, the platform your MSP trusts to "secure" your business has been turned into a criminal playground. And if your IT provider hasn't mentioned this latest breach, or the devastating vulnerabilities that came before it, you need to start asking why they're keeping you in the dark about tools that directly access your most sensitive systems.
The Latest Breach: When "Sophisticated" Becomes an Excuse
On May 28, 2025, ConnectWise admitted what many in the industry already suspected: their ScreenConnect infrastructure had been compromised by what they described as a "sophisticated nation-state actor." The company's carefully worded statement revealed that "a very small number of ScreenConnect customers" were affected, though they conveniently forgot to mention exactly how many, when it happened, or what data was accessed.
Google Mandiant was brought in to investigate—never a good sign when you need the cavalry to figure out what the hell happened to your own systems. The breach appears linked to CVE-2025-3935, a high-severity vulnerability that ConnectWise had patched in April 2025. But here's the thing about patches: they don't help if attackers were already inside before you applied them.
This is the reality of MSP security in 2025: your "trusted" IT provider is using tools that can't even protect themselves, let alone your business.
The 2024 Vulnerability Apocalypse: A Lesson Unlearned
If this latest breach feels familiar, it should. In February 2024, ConnectWise disclosed two critical vulnerabilities in ScreenConnect that turned the platform into a ransomware distribution network. CVE-2024-1709 earned a perfect 10.0 CVSS score—the cybersecurity equivalent of a five-alarm fire—while CVE-2024-1708 added path traversal capabilities for good measure.
The combination was devastating. Threat actors could bypass authentication with trivial ease, gain administrative access, and deploy whatever malware they fancied across entire MSP customer bases. Within 72 hours of disclosure, multiple ransomware gangs were actively exploiting these flaws.
LockBit, Play, Black Basta, and Conti ransomware all joined the party, turning ScreenConnect servers into criminal infrastructure. One attack targeted an MSP for a potential supply chain breach against multiple customers. A finance company got hit with Play ransomware while trying to apply the security patch. The LockBit executable was found deployed across customer environments, only stopped by endpoint detection systems before encryption could begin.
But here's what really happened: MSPs using ScreenConnect became unwitting accomplices in attacks against their own customers.
The Supply Chain Time Bomb Your MSP Won't Discuss
Let's talk about what ScreenConnect actually does, because your MSP probably hasn't explained the risk properly. This isn't just remote access software—it's a master key to your entire digital infrastructure. When your MSP uses ScreenConnect, they're essentially installing a backdoor that bypasses your firewalls, endpoint protection, and network segmentation.
ScreenConnect provides:
Remote desktop access to every connected system
File transfer capabilities across your network
Administrative privileges on managed endpoints
The ability to deploy software without user interaction
Access to sensitive data stores and business applications
Now imagine that master key being handed to ransomware gangs, state-sponsored hackers, or cybercriminals looking to steal your customer data. That's exactly what happened when ScreenConnect's vulnerabilities were exploited.
During the 2024 attacks, researchers observed threat actors:
Deploying cryptocurrency miners on business systems
Installing additional remote access tools for persistence
Stealing credentials from compromised networks
Using legitimate ScreenConnect access to push ransomware "as easily as the good guys can push a patch"
Establishing SSH backdoors and reverse shells
Planting web shells for ongoing access
Your MSP's "convenience" tool became criminals' favourite attack vector.
The MSP Accountability Crisis
Here's the uncomfortable truth your MSP doesn't want to discuss: they've been repeatedly trusting a platform with a documented history of security failures to manage your most critical systems. When ConnectWise's vulnerabilities were actively being exploited in 2024, thousands of MSPs worldwide suddenly found their customer networks compromised through no fault of their own security practices.
But the real scandal isn't that ScreenConnect got hacked—it's what happened next.
ConnectWise initially claimed the 2024 alerts were "false positives." When independent researchers provided proof-of-concept exploits, the company finally admitted the vulnerabilities existed. Even after ransomware gangs were actively exploiting the flaws, ConnectWise continued to downplay the severity while their customers' networks burned.
Sound familiar? It should, because that's exactly how software vendors operate when their products become attack vectors: deny, deflect, and hope customers don't notice the damage.
The Real Cost of "Trusted" Tools
While ConnectWise was busy issuing carefully worded statements about "sophisticated attacks," real businesses were dealing with the consequences. Sophos X-Ops tracked multiple attacks where the same ransomware payload was found across more than 30 different customer networks—clear evidence of mass exploitation through compromised ScreenConnect servers.
The financial impact was immediate:
Nonprofit organizations found LockBit ransomware executables on their systems
Finance companies lost entire storage area networks to Play ransomware
Multiple MSPs had to explain to customers why "secure" remote access tools had become criminal infrastructure
Incident response costs skyrocketed as organizations tried to determine the scope of compromise
But the reputational damage was worse. MSPs that had sold themselves as cybersecurity experts suddenly had to admit their primary management tool had been turned against their own customers.
The Pattern Recognition Problem
What's truly damning about the latest ConnectWise breach isn't that it happened—it's that anyone who was paying attention should have seen it coming. This is the same company that:
Suffered critical vulnerabilities in February 2024 that enabled mass ransomware deployment
Initially denied the severity of researcher findings until public proof-of-concept exploits forced their hand
Required emergency patching that disrupted MSP operations worldwide
Admitted to poor internal security practices after vulnerabilities were traced to development and build systems
Now faces a suspected nation-state breach just over a year later
If this were a restaurant that kept poisoning customers, health inspectors would shut it down. But in the MSP world, ConnectWise still holds the largest market share for professional services automation and remote monitoring software at 27%.
Your MSP is essentially saying: "We know this restaurant keeps making people sick, but the menu is really convenient."
The Questions Your MSP Doesn't Want to Answer
If your managed service provider uses ScreenConnect to access your systems, you need to ask some very direct questions:
About the latest breach:
Has our MSP been affected by the ConnectWise breach disclosed in May 2025?
What specific customer data or systems may have been accessed through compromised ScreenConnect instances?
What incident response measures are being taken to assess potential damage?
Will our business be notified if evidence of compromise is discovered?
About tool selection and risk management:
Why does our MSP continue using tools with documented security failures?
What alternative remote access solutions were considered and rejected?
How does our MSP assess the security posture of critical management tools?
What happens when vendor security failures compromise customer environments?
About transparency and communication:
Why weren't we informed about the February 2024 ScreenConnect vulnerabilities that enabled ransomware attacks?
What is our MSP's policy for disclosing vendor security incidents that could affect customer data?
How often does our MSP review and communicate about tool-related security risks?
If your MSP can't provide clear, direct answers to these questions, you're dealing with a provider that prioritizes convenience over security.
The Industry-Wide Delusion
The ConnectWise situation exposes a fundamental delusion in the MSP industry: the belief that vendor tools are somehow immune to the same security failures that affect every other piece of software. MSPs regularly preach about patch management, access controls, and defense in depth, then turn around and deploy remote access tools with a history of critical vulnerabilities.
This cognitive dissonance is everywhere:
MSPs warn about phishing attacks while using platforms susceptible to authentication bypass
Providers lecture about least privilege while deploying tools that grant administrative access across customer networks
Companies sell "enterprise security" while relying on vendors that can't secure their own development processes
When Huntress CEO Kyle Hanslovan warned about the 2024 ScreenConnect vulnerabilities, he predicted it could become "the biggest cybersecurity incident of 2024." He wasn't wrong—but the real tragedy is that few MSPs learned from it.
The SimpleHelp Alternative That Wasn't
While ConnectWise customers were dealing with breach notifications, other MSPs thought they'd found a safer alternative in SimpleHelp, another remote monitoring platform. As I covered last week, that lasted until DragonForce ransomware gang exploited three CVEs in SimpleHelp to breach an MSP and deploy encryptors across customer systems.
The DragonForce attack perfectly illustrates the systemic problem: MSPs keep switching between compromised tools instead of addressing the fundamental security model. Last week it was SimpleHelp. This week it's ConnectWise ScreenConnect. Next week it'll be whatever remote access platform your MSP migrates to next, assuming they haven't learned from this pattern.
The issue isn't which specific tool you choose—it's that remote access platforms, by their very nature, represent attractive targets for cybercriminals. Any platform that provides administrative access to multiple organizations will eventually become a criminal playground.
But here's what separates professional MSPs from convenient ones: they plan for this reality instead of hoping it won't happen.
What Professional MSPs Actually Do
The MSPs that understand risk don't just pick the most convenient remote access tool and hope for the best. They implement layered approaches that assume vendor tools will eventually be compromised:
Secure remote access architectures:
VPN-based access with certificate authentication
Jump servers that isolate remote access from production networks
Time-limited access tokens that expire automatically
Multi-factor authentication that can't be bypassed through vendor vulnerabilities
Vendor risk management:
Regular security assessments of critical management tools
Incident response plans that account for vendor breaches
Alternative solutions that can be activated if primary tools are compromised
Customer communication protocols for vendor-related security events
Monitoring and detection:
Network segmentation that limits the blast radius of compromised tools
Behavioral analysis that can detect unauthorized administrative activity
Log aggregation that provides visibility into remote access patterns
Automated alerting for suspicious tool usage
These measures don't eliminate risk—nothing does. But they ensure that when vendor tools inevitably get compromised, the damage is contained rather than catastrophic.
The Hard Questions About MSP Due Diligence
The ConnectWise breaches raise fundamental questions about MSP due diligence that most providers would rather not address:
How do you assess vendor security posture? If your MSP can't explain their process for evaluating the security practices of critical tools, they're essentially gambling with your data.
What's the incident response plan for vendor breaches? If your provider doesn't have specific procedures for handling vendor security failures, they're hoping nothing bad will happen.
How do you communicate vendor risks to customers? If your MSP hasn't proactively discussed the implications of tool-related vulnerabilities, they're keeping you in the dark about risks that directly affect your business.
What alternatives exist if primary tools are compromised? If your provider can't operate without specific vendor platforms, they've created dangerous single points of failure.
These aren't theoretical concerns—they're practical questions that determine whether your MSP can handle the next inevitable vendor security failure.
The Reality of MSP Security Theatre
Too many MSPs operate security theatre rather than security programs. They'll sell you compliance frameworks, security awareness training, and endpoint protection while ignoring the fact that their primary management tools have been repeatedly compromised by ransomware gangs.
This isn't security—it's marketing.
Real security means:
Acknowledging that vendor tools will be compromised
Planning for scenarios where management platforms become attack vectors
Implementing controls that function even when vendor security fails
Maintaining transparency about tool-related risks and incidents
Having honest conversations about the limitations of current approaches
If your MSP is still selling you on the security of platforms that have documented histories of critical vulnerabilities, they're either incompetent or dishonest. Possibly both.
And if they're jumping from one compromised tool to another—SimpleHelp to ScreenConnect to whatever's next—without addressing the fundamental architectural problems, they're not learning from their mistakes. They're just hoping the next vendor will be different.
Spoiler alert: it won't be.
The Questions That Matter Now
The latest ConnectWise breach isn't just another vendor security incident—it's a test of your MSP's transparency, competence, and commitment to customer security.
If they haven't mentioned this breach to you, ask why. If they continue using repeatedly compromised tools, ask about alternatives. If they can't explain their vendor risk management process, find an MSP that can.
Because in 2025, "we didn't know" isn't an acceptable excuse. The pattern is clear, the risks are documented, and the consequences are real.
Your business deserves an MSP that plans for vendor failures instead of hoping they won't happen. If your current provider can't meet that standard, it's time to find one that can.
The next ConnectWise breach is coming. The only question is whether your MSP will be ready for it.
