ConnectWise
Company Details
Linkedin ID:
connectwise
Website:
Employees number:
3,454
Number of followers:
193,060
NAICS:
5112
Industry Type:
Homepage:
connectwise.com
IP Addresses:
0
Company ID:
CON_2879190
Scan Status:
In-progress
ConnectWise Company CyberSecurity Posture
connectwise.com
Born out of a single software solution designed to help MSPs gain control of their help desk and billing, ConnectWise has grown into a robust platform of software built for technology solutions providers (TSPs) to run their entire as-a-service business. With products aiding in business management, remote monitoring and management, remote control and access, quote and proposal automation, and cybersecurity risk assessments, integrations with hundreds of key vendors, plus the largest and most engaged community in the industry, ConnectWise has built a platform for The IT Nation. Our company is powered by our connections, our colleagues and our community. And, we accept all kinds. Game-changers,innovators, culture-lovers - and the humankind. We invite discovery and debate. We recognize key moments as milestones. We see you and value you for your unique contributions. Our inclusive, positive culture lays the foundation to ensure every colleague is valued for their perspectives and skills, giving you the choice of how YOU make a difference.
ConnectWise A.I CyberSecurity Scoring
ConnectWise Risk Score (AI oriented)Between 700 and 749
ConnectWise
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
ConnectWise Global Score (TPRM)XXXX
ConnectWise
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
ConnectWise Company CyberSecurity News & History
Past Incidents
5
Attack Types
3
ConnectWise
Cyber Attack
Rankiteo Explanation
Attack limited on finance or reputation
Description: ConnectWise, a Florida-based IT management software provider, experienced a cybersecurity incident involving the compromise of its **ScreenConnect cloud infrastructure**, suspected to be a **state-sponsored cyberattack**. The breach was contained swiftly through immediate patching, enhanced monitoring, and strengthened security mechanisms. While the exact scope of the data compromise remains undisclosed, the incident was limited to a **small subset of organizations** using ScreenConnect. Malicious activity was mitigated, and no further exploitation was reported. The event underscored vulnerabilities in managed service providers (MSPs), prompting industry calls for heightened security measures to protect vendors, MSPs, and end-users. No evidence suggested large-scale data theft, financial fraud, or operational disruptions beyond the initial intrusion. The focus remained on preventing future exploits rather than addressing widespread damage.
ConnectWise
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: ConnectWise, a Florida-based software company providing IT management solutions, experienced a suspected state-sponsored cyberattack that breached its environment. The attack impacted a limited number of ScreenConnect customers, a remote access and support tool. The breach occurred in August 2024 and was discovered in May 2025, with the vulnerability tracked as CVE-2025-3935. The flaw allowed threat actors with privileged access to steal secret machine keys and conduct remote code execution on ScreenConnect servers, potentially accessing customer environments. The company has implemented enhanced monitoring and security measures but has not confirmed the extent of the breach or the specifics of the malicious activity observed.
ConnectWise
Ransomware
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Multiple ConnectWise partners have had their customers hit with a ransomware attacks. It was through a software flaw that left several end users compromised. There was an MSP encrypted which is what prompted the company to release the hotfix and notify users.
ConnectWise
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about active exploitation of **CVE-2025-3935**, a critical **ConnectWise ScreenConnect vulnerability** enabling **ViewState code injection attacks**. While suspected to be leveraged in a **state-backed cyber intrusion**, ConnectWise acknowledged only a **limited number of affected customers**, avoiding confirmation of the attack’s origin. The flaw allows unauthorized remote code execution, potentially granting attackers full system control, data exfiltration, or lateral movement within compromised networks. Though no large-scale data breaches or operational disruptions were publicly confirmed, the vulnerability’s exploitation poses severe risks—including **unauthorized access to sensitive corporate or client data**, **disruption of remote monitoring/management services**, or **deployment of secondary payloads** (e.g., ransomware or spyware). CISA’s inclusion of the flaw in its **Known Exploited Vulnerabilities (KEV) catalog** underscores its criticality, mandating urgent patching by June 23. The incident highlights the persistent threat of **nation-state actors** targeting widely used enterprise software to infiltrate supply chains, with potential cascading effects on dependent organizations.
ConnectWise
Vulnerability
Rankiteo Explanation
Attack threatening the economy of a geographical region
Description: ConnectWise, which offers a self-hosted, remote desktop software application suffered an unusually sophisticated phishing attack that can let attackers take remote control over user systems when recipients click the included link. The warning comes just weeks after the company quietly patched a vulnerability that makes it easier for phishers to launch these attacks. In October, ConnectWise learned that an attacker could craft a ConnectWise Control client download link that would bounce or proxy the remote connection from the MSP’s servers to a server that the attacker controls. ConnectWise issued advisory warning users to be on guard against a new round email phishing attempts that mimic legitimate email alerts the company sends when it detects unusual activity on a customer account.
ConnectWise Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for ConnectWise
Incidents vs Software Development Industry Average (This Year)
ConnectWise has 250.88% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
ConnectWise has 156.41% more incidents than the average of all companies with at least one recorded incident.
Incident Types ConnectWise vs Software Development Industry Avg (This Year)
ConnectWise reported 2 incidents this year: 1 cyber attacks, 0 ransomware, 1 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — ConnectWise (X = Date, Y = Severity)
ConnectWise cyber incidents detection timeline including parent company and subsidiaries
ConnectWise Company Subsidiaries
Born out of a single software solution designed to help MSPs gain control of their help desk and billing, ConnectWise has grown into a robust platform of software built for technology solutions providers (TSPs) to run their entire as-a-service business. With products aiding in business management, remote monitoring and management, remote control and access, quote and proposal automation, and cybersecurity risk assessments, integrations with hundreds of key vendors, plus the largest and most engaged community in the industry, ConnectWise has built a platform for The IT Nation. Our company is powered by our connections, our colleagues and our community. And, we accept all kinds. Game-changers,innovators, culture-lovers - and the humankind. We invite discovery and debate. We recognize key moments as milestones. We see you and value you for your unique contributions. Our inclusive, positive culture lays the foundation to ensure every colleague is valued for their perspectives and skills, giving you the choice of how YOU make a difference.
Loading...
ConnectWise Similar Companies
DoorDash
At DoorDash, our mission to empower local economies shapes how our team members move quickly and always learn and reiterate to support merchants, Dashers and the communities we serve. We are a technology and logistics company that started with door-to-door delivery, and we are looking for team membe
SAP is the leading enterprise application and business AI company. We stand at the intersection of business and technology, where our innovations are designed to directly address real business challenges and produce real-world impacts. Our solutions are the backbone for the world’s most complex and
Upwork is the world’s work marketplace that connects businesses with independent talent from across the globe. We serve everyone from one-person startups to large, Fortune 100 enterprises with a powerful, trust-driven platform that enables companies and talent to work together in new ways that unloc
Airbnb
Airbnb was born in 2007 when two hosts welcomed three guests to their San Francisco home, and has since grown to over 5 million hosts who have welcomed over 2 billion guest arrivals in almost every country across the globe. Every day, hosts offer unique stays, experiences and services that make it p
Workday is a leading provider of enterprise cloud applications for finance and human resources, helping customers adapt and thrive in a changing world. Workday applications for financial management, human resources, planning, spend management, and analytics are built with artificial intelligence and
JD.COM
JD.com, also known as JINGDONG, is a leading e-commerce company transferring to be a technology and service enterprise with supply chain at its core. JD.com’s business has expanded across retail, technology, logistics, health, property development, industrials, and international business. Ranking 44
Epic
Join us in our mission to help the world get well, help the world stay well, and help future generations be healthier. We hire smart and motivated people from all academic majors to code, test, and implement healthcare software that hundreds of millions of patients and doctors rely on to improve ca
TOTVS
Olá, somos a TOTVS! A maior empresa de tecnologia do Brasil. 🤓 Líder absoluta em sistemas e plataformas para empresas, a TOTVS possui mais de 70 mil clientes. Indo muito além do ERP, oferece tecnologia completa para digitalização dos negócios por meio de 3 unidades de negócio: - Gestão: ERPs, sol
Grab
Grab is Southeast Asia’s leading superapp, offering a suite of services consisting of deliveries, mobility, financial services, enterprise and others. Grabbers come from all over the world, and we are united by a common mission: to drive Southeast Asia forward by creating economic empowerment for ev
.png)
ConnectWise CyberSecurity News
December 04, 2025 08:00 AM
Beachhead Solutions Integrates with ConnectWise Through ConnectWise Invent Integration Program
New integration streamlines workflows, strengthens client value, and helps MSPs move beyond pricing pressures...
November 26, 2025 08:00 AM
Options and ConnectWise Mark Five Years Delivering Secure Cloud Backup to AtlasWorkplace Clients
Options and ConnectWise Mark Five Years Delivering Secure Cloud Backup to AtlasWorkplace Clients. Options Technology (Options), the leading...
November 07, 2025 08:00 AM
ESET to aid MSPs by integrating with ConnectWise Asio
The ESET PROTECT console plugin for ConnectWise Asio opens up more options for MSPs.This integration empowers MSPs with better tools to...
November 05, 2025 08:00 AM
ConnectWise Unifies Cybersecurity and BCDR in One Platform to Cut Threat Response and Recovery by up to 50%
ConnectWise Unifies Cybersecurity and BCDR in One Platform to Cut Threat Response and Recovery by up to 50% · By uniting SIEM, AI-driven MDR,...
October 17, 2025 07:00 AM
Critical ConnectWise Vulnerabilities Allow Attackers To Inject Malicious Updates
ConnectWise released a critical security update for its Automate platform on October 16, 2025. The patch, version 2025.9, addresses serious...
October 17, 2025 07:00 AM
Critical ConnectWise Flaws Enable Malicious Update Injections
ConnectWise has urgently released a security update for its flagship remote monitoring and management platform, ConnectWise Automate™.
October 17, 2025 07:00 AM
ConnectWise Flaws Let Attackers Deliver Malicious Software Updates
ConnectWise has issued a critical security update for its Automate™ platform after uncovering vulnerabilities that could allow attackers to...
October 14, 2025 07:00 AM
Threat Actors Exploit ScreenConnect to Gain Unauthorized Remote Access
A recent surge in threat actors leveraging remote management and monitoring (RMM) tools for initial access has intensified scrutiny of...
September 11, 2025 07:00 AM
AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto
Cybersecurity researchers have disclosed details of a new campaign that leverages ConnectWise ScreenConnect, a legitimate Remote Monitoring...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
ConnectWise CyberSecurity History Information
Official Website of ConnectWise
The official website of ConnectWise is https://www.connectwise.com/.
ConnectWise’s AI-Generated Cybersecurity Score
According to Rankiteo, ConnectWise’s AI-generated cybersecurity score is 709, reflecting their Moderate security posture.
How many security badges does ConnectWise’ have ?
According to Rankiteo, ConnectWise currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does ConnectWise have SOC 2 Type 1 certification ?
According to Rankiteo, ConnectWise is not certified under SOC 2 Type 1.
Does ConnectWise have SOC 2 Type 2 certification ?
According to Rankiteo, ConnectWise does not hold a SOC 2 Type 2 certification.
Does ConnectWise comply with GDPR ?
According to Rankiteo, ConnectWise is not listed as GDPR compliant.
Does ConnectWise have PCI DSS certification ?
According to Rankiteo, ConnectWise does not currently maintain PCI DSS compliance.
Does ConnectWise comply with HIPAA ?
According to Rankiteo, ConnectWise is not compliant with HIPAA regulations.
Does ConnectWise have ISO 27001 certification ?
According to Rankiteo,ConnectWise is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of ConnectWise
ConnectWise operates primarily in the Software Development industry.
Number of Employees at ConnectWise
ConnectWise employs approximately 3,454 people worldwide.
Subsidiaries Owned by ConnectWise
ConnectWise presently has no subsidiaries across any sectors.
ConnectWise’s LinkedIn Followers
ConnectWise’s official LinkedIn profile has approximately 193,060 followers.
NAICS Classification of ConnectWise
ConnectWise is classified under the NAICS code 5112, which corresponds to Software Publishers.
ConnectWise’s Presence on Crunchbase
No, ConnectWise does not have a profile on Crunchbase.
ConnectWise’s Presence on LinkedIn
Yes, ConnectWise maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/connectwise.
Cybersecurity Incidents Involving ConnectWise
As of December 16, 2025, Rankiteo reports that ConnectWise has experienced 5 cybersecurity incidents.
Number of Peer and Competitor Companies
ConnectWise has an estimated 27,757 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at ConnectWise ?
Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack, Vulnerability and Ransomware.
How does ConnectWise detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an communication strategy with advisory warning, and remediation measures with released hotfix, remediation measures with notified users, and third party assistance with mandiant (forensic experts), and and communication strategy with contacted all affected customers, and enhanced monitoring with implemented enhanced monitoring and hardened the security across its network, and and containment measures with immediate patching, and remediation measures with adoption of more robust monitoring and security mechanisms, and communication strategy with public disclosure via crn, and and containment measures with cisa kev listing (remediation deadline: june 23, 2025), and remediation measures with patch deployment for cve-2025-3935 (connectwise), remediation measures with vendor advisories for asus/craft cms, and communication strategy with cisa advisory, communication strategy with connectwise customer notification (limited impact)..
Incident Details
Can you provide details on each incident ?
Title: Phishing Attack on ConnectWise
Description: ConnectWise, which offers a self-hosted, remote desktop software application suffered an unusually sophisticated phishing attack that can let attackers take remote control over user systems when recipients click the included link.
Date Detected: 2023-10-01
Date Publicly Disclosed: 2023-10-01
Type: Phishing Attack
Attack Vector: Email Phishing
Vulnerability Exploited: Remote Control Software Vulnerability
Motivation: Unauthorized Access
Title: Ransomware Attacks on ConnectWise Partners
Description: Multiple ConnectWise partners have had their customers hit with ransomware attacks through a software flaw that left several end users compromised. An MSP was encrypted, prompting the company to release a hotfix and notify users.
Type: Ransomware
Attack Vector: Software Flaw
Vulnerability Exploited: Software Flaw
Motivation: Financial Gain
Title: Suspected State-Sponsored Cyberattack on ConnectWise's ScreenConnect
Description: A suspected state-sponsored cyberattack breached ConnectWise's environment, impacting a limited number of ScreenConnect customers. The breach was tied to the CVE-2025-3935 vulnerability, a high-severity ViewState code injection bug caused by unsafe deserialization of ASP.NET ViewState.
Date Detected: May 2025
Type: Cyberattack
Attack Vector: Vulnerability Exploitation
Vulnerability Exploited: CVE-2025-3935
Threat Actor: Suspected nation state actor
Title: Compromise of ConnectWise ScreenConnect Cloud Infrastructure in Suspected State-Sponsored Cyberattack
Description: Florida-based IT management software provider ConnectWise disclosed the compromise of its ScreenConnect cloud infrastructure in a suspected state-sponsored cyberattack. Only a few organizations using ScreenConnect were impacted. The incident was resolved with immediate patching efforts and the adoption of more robust monitoring and security mechanisms. Malicious activity was successfully mitigated, though additional details regarding the timeline and extent of the data breach were not provided.
Type: cyberattack
Threat Actor: suspected state-sponsored actor
Title: Ongoing Intrusions Exploiting ConnectWise ScreenConnect Vulnerability (CVE-2025-3935) and Related KEV Additions by CISA
Description: Organizations have been warned by the Cybersecurity and Infrastructure Security Agency (CISA) regarding ongoing intrusions exploiting the recently addressed ConnectWise ScreenConnect vulnerability (CVE-2025-3935), which could be leveraged in ViewState code injection attacks. The flaw is suspected to have been harnessed in a suspected state-backed attack against the remote monitoring and management (RMM) software provider. ConnectWise has not acknowledged the claim but stated that a limited number of its customers were affected. CISA also added four other vulnerabilities to its Known Exploited Vulnerabilities (KEV) list, including critical flaws in Asus routers (CVE-2021-32030, CVE-2023-39780) and Craft CMS (CVE-2024-56145, CVE-2025-35939). Attacks combining CVE-2023-39780 with other authentication bypass issues were reported by GreyNoise to have facilitated the creation of the AyySSHush botnet. Remediation for all KEV entries is mandated by June 23, 2025.
Type: Vulnerability Exploitation
Attack Vector: ViewState Code Injection (CVE-2025-3935)Authentication Bypass (CVE-2021-32030, CVE-2023-39780)OS Injection (CVE-2023-39780)
Threat Actor: Suspected State-Backed Actor (Unconfirmed)
Motivation: Espionage (Suspected)Botnet Expansion (AyySSHush)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Cyber Attack.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Email Phishing and ConnectWise ScreenConnect (CVE-2025-3935)Asus Routers (CVE-2023-39780).
Impact of the Incidents
What was the impact of each incident ?
Incident : Phishing Attack CON01841222
Systems Affected: User Systems
Incident : Ransomware CON1166123
Systems Affected: Multiple End UsersMSP
Incident : Cyberattack CON454052925
Systems Affected: ScreenConnect cloud-hosted instances
Incident : cyberattack CON2965729112825
Systems Affected: ScreenConnect cloud infrastructure
Operational Impact: limited (only a few organizations using ScreenConnect were impacted)
Brand Reputation Impact: highlighted security risks for managed software providers; reminder for vendors to improve security measures
Incident : Vulnerability Exploitation CON2251822112925
Systems Affected: ConnectWise ScreenConnect (Limited Customers)Asus RoutersCraft CMS
Operational Impact: Potential RMM software disruptionBotnet propagation (AyySSHush)
Brand Reputation Impact: Potential reputational damage to ConnectWise and affected vendors
Which entities were affected by each incident ?
Incident : Phishing Attack CON01841222
Entity Name: ConnectWise
Entity Type: Software Company
Industry: Technology
Incident : Ransomware CON1166123
Entity Name: ConnectWise
Entity Type: Software Company
Industry: Technology
Customers Affected: Multiple
Incident : Cyberattack CON454052925
Entity Name: ScreenConnect customers
Entity Type: Companies using ScreenConnect
Industry: IT Management
Size: Very small number of customers
Incident : cyberattack CON2965729112825
Entity Name: ConnectWise
Entity Type: IT management software provider
Industry: technology/software
Location: Florida, USA
Customers Affected: few organizations using ScreenConnect
Incident : Vulnerability Exploitation CON2251822112925
Entity Name: ConnectWise
Entity Type: Software Provider
Industry: IT Management/Remote Monitoring
Customers Affected: Limited number (per ConnectWise statement)
Incident : Vulnerability Exploitation CON2251822112925
Entity Name: Asus Router Users
Entity Type: Hardware/Networking
Industry: Multiple (Consumers/Enterprises)
Incident : Vulnerability Exploitation CON2251822112925
Entity Name: Craft CMS Users
Entity Type: Software
Industry: Web Content Management
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Phishing Attack CON01841222
Communication Strategy: Advisory Warning
Incident : Ransomware CON1166123
Remediation Measures: Released HotfixNotified Users
Incident : Cyberattack CON454052925
Third Party Assistance: Mandiant (forensic experts)
Communication Strategy: Contacted all affected customers
Enhanced Monitoring: Implemented enhanced monitoring and hardened the security across its network
Incident : cyberattack CON2965729112825
Incident Response Plan Activated: True
Containment Measures: immediate patching
Remediation Measures: adoption of more robust monitoring and security mechanisms
Communication Strategy: public disclosure via CRN
Incident : Vulnerability Exploitation CON2251822112925
Containment Measures: CISA KEV listing (remediation deadline: June 23, 2025)
Remediation Measures: Patch deployment for CVE-2025-3935 (ConnectWise)Vendor advisories for Asus/Craft CMS
Communication Strategy: CISA advisoryConnectWise customer notification (limited impact)
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Mandiant (forensic experts).
Data Breach Information
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Released Hotfix, Notified Users, , adoption of more robust monitoring and security mechanisms, , Patch deployment for CVE-2025-3935 (ConnectWise), Vendor advisories for Asus/Craft CMS, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by immediate patching, , cisa kev listing (remediation deadline: june 23, 2025) and .
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Vulnerability Exploitation CON2251822112925
Regulatory Notifications: CISA KEV Catalog Update (Mandatory Remediation by June 23, 2025)
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : cyberattack CON2965729112825
Lessons Learned: Incident highlights the security risks faced by managed software providers. Vendors must focus on protecting themselves, their customers (MSPs), and end-users, as no system is 100% secure.
What recommendations were made to prevent future incidents ?
Incident : cyberattack CON2965729112825
Recommendations: Continuously evaluate and improve security of software offerings, Implement robust monitoring and security mechanisms, Proactively mitigate vulnerabilities to prevent exploitationContinuously evaluate and improve security of software offerings, Implement robust monitoring and security mechanisms, Proactively mitigate vulnerabilities to prevent exploitationContinuously evaluate and improve security of software offerings, Implement robust monitoring and security mechanisms, Proactively mitigate vulnerabilities to prevent exploitation
Incident : Vulnerability Exploitation CON2251822112925
Recommendations: Immediate patching of ConnectWise ScreenConnect (CVE-2025-3935) for RMM users., Remediation of Asus router vulnerabilities (CVE-2021-32030, CVE-2023-39780) to prevent botnet exploitation (AyySSHush)., Update Craft CMS installations to address CVE-2024-56145 and CVE-2025-35939., Monitor for state-backed threat activity targeting RMM software., Implement network segmentation to limit lateral movement in case of exploitation.Immediate patching of ConnectWise ScreenConnect (CVE-2025-3935) for RMM users., Remediation of Asus router vulnerabilities (CVE-2021-32030, CVE-2023-39780) to prevent botnet exploitation (AyySSHush)., Update Craft CMS installations to address CVE-2024-56145 and CVE-2025-35939., Monitor for state-backed threat activity targeting RMM software., Implement network segmentation to limit lateral movement in case of exploitation.Immediate patching of ConnectWise ScreenConnect (CVE-2025-3935) for RMM users., Remediation of Asus router vulnerabilities (CVE-2021-32030, CVE-2023-39780) to prevent botnet exploitation (AyySSHush)., Update Craft CMS installations to address CVE-2024-56145 and CVE-2025-35939., Monitor for state-backed threat activity targeting RMM software., Implement network segmentation to limit lateral movement in case of exploitation.Immediate patching of ConnectWise ScreenConnect (CVE-2025-3935) for RMM users., Remediation of Asus router vulnerabilities (CVE-2021-32030, CVE-2023-39780) to prevent botnet exploitation (AyySSHush)., Update Craft CMS installations to address CVE-2024-56145 and CVE-2025-35939., Monitor for state-backed threat activity targeting RMM software., Implement network segmentation to limit lateral movement in case of exploitation.Immediate patching of ConnectWise ScreenConnect (CVE-2025-3935) for RMM users., Remediation of Asus router vulnerabilities (CVE-2021-32030, CVE-2023-39780) to prevent botnet exploitation (AyySSHush)., Update Craft CMS installations to address CVE-2024-56145 and CVE-2025-35939., Monitor for state-backed threat activity targeting RMM software., Implement network segmentation to limit lateral movement in case of exploitation.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Incident highlights the security risks faced by managed software providers. Vendors must focus on protecting themselves, their customers (MSPs), and end-users, as no system is 100% secure.
References
Where can I find more information about each incident ?
Incident : Cyberattack CON454052925
Source: CRN
Incident : Cyberattack CON454052925
Source: BleepingComputer
Incident : cyberattack CON2965729112825
Source: CRN
Incident : Vulnerability Exploitation CON2251822112925
Source: BleepingComputer
Incident : Vulnerability Exploitation CON2251822112925
Source: CISA Known Exploited Vulnerabilities Catalog
URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Incident : Vulnerability Exploitation CON2251822112925
Source: GreyNoise (AyySSHush Botnet Report)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: CRN, and Source: BleepingComputer, and Source: CRN, and Source: BleepingComputer, and Source: CISA Known Exploited Vulnerabilities CatalogUrl: https://www.cisa.gov/known-exploited-vulnerabilities-catalog, and Source: GreyNoise (AyySSHush Botnet Report).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Cyberattack CON454052925
Investigation Status: Ongoing
Incident : cyberattack CON2965729112825
Investigation Status: resolved; malicious activity mitigated
Incident : Vulnerability Exploitation CON2251822112925
Investigation Status: Ongoing (CISA/ConnectWise)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Advisory Warning, Contacted all affected customers, Public Disclosure Via Crn, Cisa Advisory and Connectwise Customer Notification (Limited Impact).
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Phishing Attack CON01841222
Customer Advisories: Advisory Warning
Incident : Vulnerability Exploitation CON2251822112925
Stakeholder Advisories: Cisa Alert, Connectwise Customer Notification.
Customer Advisories: Patch immediately for ScreenConnect usersCheck for Asus router compromises
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Advisory Warning, , Cisa Alert, Connectwise Customer Notification, Patch Immediately For Screenconnect Users, Check For Asus Router Compromises and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Phishing Attack CON01841222
Entry Point: Email Phishing
Incident : Vulnerability Exploitation CON2251822112925
Entry Point: Connectwise Screenconnect (Cve-2025-3935), Asus Routers (Cve-2023-39780),
High Value Targets: Rmm Software Providers (Suspected), Router Networks (Ayysshush),
Data Sold on Dark Web: Rmm Software Providers (Suspected), Router Networks (Ayysshush),
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Cyberattack CON454052925
Root Causes: Vulnerability in ScreenConnect (CVE-2025-3935)
Incident : cyberattack CON2965729112825
Corrective Actions: Immediate Patching, Enhanced Monitoring And Security Mechanisms,
Incident : Vulnerability Exploitation CON2251822112925
Root Causes: Unpatched Vulnerabilities In Widely Used Software (Screenconnect, Asus Routers, Craft Cms)., Potential State-Backed Exploitation Of Rmm Tools For Supply-Chain Attacks.,
Corrective Actions: Enforce Cisa Kev Remediation Deadlines., Enhance Monitoring For Viewstate Injection And Authentication Bypass Attempts., Conduct Third-Party Audits Of Rmm Software Security.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Mandiant (forensic experts), Implemented enhanced monitoring and hardened the security across its network, .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Immediate Patching, Enhanced Monitoring And Security Mechanisms, , Enforce Cisa Kev Remediation Deadlines., Enhance Monitoring For Viewstate Injection And Authentication Bypass Attempts., Conduct Third-Party Audits Of Rmm Software Security., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Suspected nation state actor, suspected state-sponsored actor and Suspected State-Backed Actor (Unconfirmed).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2023-10-01.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-10-01.
Impact of the Incidents
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was User Systems and Multiple End UsersMSP and and ScreenConnect cloud infrastructure and ConnectWise ScreenConnect (Limited Customers)Asus RoutersCraft CMS.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Mandiant (forensic experts).
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were immediate patching, CISA KEV listing (remediation deadline: June 23 and 2025).
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Incident highlights the security risks faced by managed software providers. Vendors must focus on protecting themselves, their customers (MSPs), and end-users, as no system is 100% secure.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Immediate patching of ConnectWise ScreenConnect (CVE-2025-3935) for RMM users., Continuously evaluate and improve security of software offerings, Update Craft CMS installations to address CVE-2024-56145 and CVE-2025-35939., Implement robust monitoring and security mechanisms, Implement network segmentation to limit lateral movement in case of exploitation., Remediation of Asus router vulnerabilities (CVE-2021-32030, CVE-2023-39780) to prevent botnet exploitation (AyySSHush)., Monitor for state-backed threat activity targeting RMM software. and Proactively mitigate vulnerabilities to prevent exploitation.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are CISA Known Exploited Vulnerabilities Catalog, BleepingComputer, GreyNoise (AyySSHush Botnet Report) and CRN.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.cisa.gov/known-exploited-vulnerabilities-catalog .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was CISA Alert, ConnectWise Customer Notification, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Advisory Warning and Patch immediately for ScreenConnect usersCheck for Asus router compromises.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker was an Email Phishing.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Vulnerability in ScreenConnect (CVE-2025-3935), Unpatched vulnerabilities in widely used software (ScreenConnect, Asus routers, Craft CMS).Potential state-backed exploitation of RMM tools for supply-chain attacks..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was immediate patchingenhanced monitoring and security mechanisms, Enforce CISA KEV remediation deadlines.Enhance monitoring for ViewState injection and authentication bypass attempts.Conduct third-party audits of RMM software security..
.png)
Latest Global CVEs (Not Company-Specific)
Description
NXLog Agent before 6.11 can load a file specified by the OPENSSL_CONF environment variable.
Risk Information
cvss3
Base: 8.1
Severity: HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Description
uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas.
Risk Information
cvss3
Base: 2.9
Severity: HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Description
A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is sufficient to fix this issue. You should upgrade the affected component. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."
Risk Information
cvss2
Base: 5.0
Severity: LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type="css" case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827.
Risk Information
cvss3
Base: 4.5
Severity: HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L
Description
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
Risk Information
cvss3
Base: 5.8
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=connectwise' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
