CISA warns of ConnectWise ScreenConnect bug exploited in attacks

CISA is alerting federal agencies in the U.S. of hackers exploiting a recently patched ScreenConnect vulnerability that could lead to executing remote code on the server.

The agency is warning that four other security problems affecting ASUS routers and the Craft content management system (CMS) are also actively exploited.

Improper authentication in ConnectWise ScreenConnect

On April 24, ConnectWise addressed the security issue, tracked as CVE-2025-3935, stating that the vulnerability could be exploited for a ViewState code injection attack.

The vendor notes that ASP.NET Web Forms rely on the ViewState component to preserve page and control state using base64-encoded data that is protected by machine keys.

If an attacker with privileged access compromises the machine keys, they could trigger remote code execution on the server through malicious payloads.

Following the recent ConnectWise breach, suspected to be a state-sponsored operation, some customers said that the incident may be linked to CVE-2025-3935.

However, ConnectWise has not commented on the attack method or the nature of the compromise. Multiple reports state that ConnectWise found “a very small number of ScreenConnect customers” to be affected.

Critical bugs in ASUS and Craft CMS

In an alert this week, CISA also warns of threat actors exploiting four vulnerabilities, two of them critical, in ASUS routers and Craft CMS:

• CVE-2021-32030 (9.8 critical severity score): allows authentication bypass in ASUS GT-AC2900 and Lyra Mini devices
• CVE-2023-39780 (8.8 high-severity score): OS injection in ASUS RT-AX55, authentication required
• CVE-2024-56145 (9.3 critical severity score): code injection in Craft CMS that can lead to remote code execution under certain conditions
• CVE-2025-35939 (6.9 medium severity score): an unauthenticated client could introduce PHP code to known file locations on the Craft CMS server

The flaw affecting ASUS RT-AX55 devices has been exploited over the past months in stealthy attacks from what appears to be “a well-resourced and highly capable adversary.”

In a report last week, cybersecurity platform GreyNoise says that hackers have chained the CVE-2023-39780 vulnerability with authentication bypass techniques that do not have a CVE assigned to form a botnet called AyySSHush.

CISA added the five security problems to its Known Exploited Vulnerabilities (KEV) Catalog and expects federal agencies to implement the vendor-recommended mitigations or discontinue using the affected products by June 23. or to stop using the affected products by June 23.

Scattered Spider: Three things the news doesn’t tell youWant to know more about Scattered Spider?

Victoria’s Secret delays earnings release after security incident

Free online web security scanner