Critical ScreenConnect Vulnerability Exposes Remote Desktop Sessions to Hijacking ConnectWise has issued an urgent security advisory for its ScreenConnect remote desktop software, revealing a critical cryptographic flaw (CVE-2026-3564) that could enable unauthenticated attackers to extract server-level machine keys and bypass session authentication. The vulnerability, assigned a CVSS score of 9.0, affects all ScreenConnect versions prior to 26.1 and is classified as Priority 1 (High) due to active or imminent exploitation risks. The flaw stems from plaintext storage of machine keys and cryptographic identifiers in server configuration files, allowing attackers with filesystem or configuration access to extract them without elevated privileges. Once obtained, these keys can be used to forge session tokens, impersonate legitimate users, and circumvent access controls. The issue is rooted in CWE-347 (Improper Verification of Cryptographic Signature), where the software fails to validate cryptographic integrity before trusting authentication components. Exploitation requires no user interaction or privileges, though the attack complexity remains high due to specific conditions. The scope is marked as "Changed", meaning successful exploitation could impact resources beyond the vulnerable component a major concern for enterprises relying on ScreenConnect for remote access. ConnectWise has released ScreenConnect 26.1, which mitigates the flaw by encrypting key storage and improving key management. Cloud-hosted instances are already protected, but on-premises deployments must manually upgrade to version 26.1, with lapsed maintenance licenses requiring renewal before patching. Security teams are advised to prioritize remediation and review session logs for signs of prior exploitation.

Microsoft Warns of Tax-Season Phishing Surge Targeting U.S. Organizations Microsoft has identified a wave of phishing campaigns exploiting the U.S. tax season to steal credentials and deploy malware. Threat actors are leveraging urgent, time-sensitive lures such as fake refund notices, payroll forms, and IRS impersonations to trick recipients into interacting with malicious links, QR codes, or attachments. The attacks disproportionately target accountants, tax professionals, and industries handling sensitive financial data, including manufacturing, retail, healthcare, and higher education. Some campaigns use Phishing-as-a-Service (PhaaS) platforms like Energy365 and SneakyLog (Kratos) to harvest credentials, including two-factor authentication (2FA) codes, via spoofed Microsoft 365 login pages. Others deploy remote monitoring and management (RMM) tools such as ConnectWise ScreenConnect, Datto, and SimpleHelp to gain persistent access to compromised systems. Key campaigns include: - CPA-themed phishing using the Energy365 kit, sending hundreds of thousands of malicious emails daily. - QR code and W-2 lures targeting ~100 U.S. organizations in manufacturing, retail, and healthcare, redirecting victims to fake Microsoft 365 sign-in pages. - IRS impersonation with cryptocurrency tax form scams, distributing ScreenConnect or SimpleHelp via domains like irs-doc[.]com. - Datto malware delivery via fake tax-filing assistance links sent to accountants. - A large-scale February 10, 2026, attack affecting 29,000 users across 10,000 organizations, primarily in financial services, tech, and retail. Emails, sent via Amazon SES, claimed irregular tax returns under recipients’ Electronic Filing Identification Numbers (EFINs) and directed users to a fake SmartVault site (smartvault[.]im) to download a malicious ScreenConnect installer. The campaigns highlight a 277% year-over-year surge in RMM tool abuse, with attackers daisy-chaining multiple tools to evade detection. Since RMM software is often trusted in corporate environments, unauthorized usage can go unnoticed, complicating attribution and response efforts.

Cybercriminals Exploit Microsoft Phone Link to Steal SMS-Based OTPs Without Malware on Mobile Devices A sophisticated cyberattack campaign, active since at least January 2026, has uncovered a novel method to intercept SMS-based one-time passwords (OTPs) by targeting Windows PCs synced with mobile devices without deploying malware on the phones themselves. Researchers identified the attack leveraging a remote access trojan (RAT) called CloudZ, paired with a previously unknown plugin dubbed Pheno, to harvest credentials and authentication codes. The attack exploits Microsoft Phone Link (formerly "Your Phone"), a built-in Windows 10 and 11 application that mirrors calls, messages, and app notifications from Android or iOS devices to a desktop. Pheno scans for active phone connections by detecting processes like PhoneExperienceHost or Link to Windows, then accesses the app’s local SQLite database where SMS messages and OTPs are stored bypassing mobile security controls entirely. Unlike traditional attacks, this method avoids direct compromise of the mobile device, instead targeting the enterprise-managed Windows endpoint the phone trusts. The campaign highlights a critical gap in security strategies that prioritize smartphone protection over the desktop environments they sync with. CloudZ, a modular .NET RAT compiled on January 13 and obfuscated with ConfuserEx, extends beyond Pheno’s OTP theft. It supports credential harvesting from browsers, file operations, remote command execution, and host profiling. The malware establishes an encrypted TCP connection to its command-and-control (C2) server, using rotating user-agent strings to blend with legitimate traffic. To evade detection, CloudZ dynamically generates executable functions in memory, avoiding static binary storage on disk, and checks for analysis tools like Wireshark, Fiddler, and Sysmon before execution. The infection chain begins with a fake ScreenConnect update, a legitimate remote support tool widely used in enterprises. The malicious update deploys a Rust-compiled loader, which installs a .NET loader to deliver CloudZ and establish persistence via a scheduled task. Despite thorough analysis by Cisco Talos researchers, the threat actor behind the campaign remains unidentified, and the initial access vector is still unclear.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about active exploitation of CVE-2025-3935, a critical ConnectWise ScreenConnect vulnerability enabling ViewState code injection attacks. While suspected to be leveraged in a state-backed cyber intrusion, ConnectWise acknowledged only a limited number of affected customers, avoiding confirmation of the attack’s origin. The flaw allows unauthorized remote code execution, potentially granting attackers full system control, data exfiltration, or lateral movement within compromised networks. Though no large-scale data breaches or operational disruptions were publicly confirmed, the vulnerability’s exploitation poses severe risks—including unauthorized access to sensitive corporate or client data, disruption of remote monitoring/management services, or deployment of secondary payloads (e.g., ransomware or spyware). CISA’s inclusion of the flaw in its Known Exploited Vulnerabilities (KEV) catalog underscores its criticality, mandating urgent patching by June 23. The incident highlights the persistent threat of nation-state actors targeting widely used enterprise software to infiltrate supply chains, with potential cascading effects on dependent organizations.

ConnectWise, a Florida-based IT management software provider, experienced a cybersecurity incident involving the compromise of its ScreenConnect cloud infrastructure, suspected to be a state-sponsored cyberattack. The breach was contained swiftly through immediate patching, enhanced monitoring, and strengthened security mechanisms. While the exact scope of the data compromise remains undisclosed, the incident was limited to a small subset of organizations using ScreenConnect. Malicious activity was mitigated, and no further exploitation was reported. The event underscored vulnerabilities in managed service providers (MSPs), prompting industry calls for heightened security measures to protect vendors, MSPs, and end-users. No evidence suggested large-scale data theft, financial fraud, or operational disruptions beyond the initial intrusion. The focus remained on preventing future exploits rather than addressing widespread damage.

Storm-1175: Rapid Ransomware Deployment via Zero-Day and N-Day Exploits A Chinese-speaking cybercriminal group, Storm-1175, is accelerating its attacks, moving from initial access to full system compromise including Medusa ransomware deployment in as little as 24 hours, according to a new Microsoft report. Unlike state-sponsored actors, the group operates for financial gain, targeting healthcare, finance, education, and professional services sectors, primarily in the U.S., U.K., and Australia. Storm-1175 exploits a mix of zero-day and n-day vulnerabilities, often chaining flaws for maximum impact. The group has been observed abusing zero-days before public disclosure and rapidly weaponizing n-days leaving defenders minimal time to patch. Over 16 vulnerabilities across 10 products have been leveraged, including critical flaws in: - Microsoft Exchange (CVE-2023-21529) - PaperCut (CVE-2023-27351, CVE-2023-27350) - Ivanti Connect Secure/Policy Secure (CVE-2023-46805, CVE-2024-21887) - ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708) - JetBrains TeamCity, SimpleHelp, CrushFTP, SmarterMail, and BeyondTrust After gaining access, the group disables antivirus and endpoint protection, deploys tools for lateral movement and persistence, and exfiltrates data before encrypting systems with Medusa ransomware. Their high operational tempo and ability to identify exposed assets have made their attacks particularly effective.

ConnectWise, a Florida-based software company providing IT management solutions, experienced a suspected state-sponsored cyberattack that breached its environment. The attack impacted a limited number of ScreenConnect customers, a remote access and support tool. The breach occurred in August 2024 and was discovered in May 2025, with the vulnerability tracked as CVE-2025-3935. The flaw allowed threat actors with privileged access to steal secret machine keys and conduct remote code execution on ScreenConnect servers, potentially accessing customer environments. The company has implemented enhanced monitoring and security measures but has not confirmed the extent of the breach or the specifics of the malicious activity observed.

ConnectWise, which offers a self-hosted, remote desktop software application suffered an unusually sophisticated phishing attack that can let attackers take remote control over user systems when recipients click the included link. The warning comes just weeks after the company quietly patched a vulnerability that makes it easier for phishers to launch these attacks. In October, ConnectWise learned that an attacker could craft a ConnectWise Control client download link that would bounce or proxy the remote connection from the MSP’s servers to a server that the attacker controls. ConnectWise issued advisory warning users to be on guard against a new round email phishing attempts that mimic legitimate email alerts the company sends when it detects unusual activity on a customer account.

Multiple ConnectWise partners have had their customers hit with a ransomware attacks. It was through a software flaw that left several end users compromised. There was an MSP encrypted which is what prompted the company to release the hotfix and notify users.