Unpacking the ConnectWise Supply Chain Attack and Why Zero Trust Offers a Strong Defense

Default Alt Text

TAGS:

INSIGHTS
Default Alt Text

June 19, 2025

Catherine Sorensen

Senior Product Marketing Manager

The recent incident involving ConnectWise's ScreenConnect servers sent ripples through the cybersecurity world. It serves as a stark reminder of the risks posed by "supply chain attacks" – where compromising one trusted vendor can lead to widespread access to its customers, and even their customers. In this blog we’ll break down in plain English how such an attack was possible, and then introduce a powerful defense strategy that could mitigate the worst of its fallout: Zero Trust.

Understanding the Attack: A Quick Vocab Lesson

To grasp the cleverness (and danger) of this attack, let's start with some key terms:

  • ASP.NET: A server-side web application framework, built by Microsoft, and commonly used to build web applications.
  • ViewState: A mechanism in ASP.NET that preserves the state of a web page and its controls (like text in a textbox or whether a checkbox is checked) between different requests to the server.
  • For example, it's commonly used to remember the text a user typed into a form field after they submit the form and the page reloads. The ViewState data is typically encrypted and signed using the machine key.
  • Machine Key: A cryptographic key used by ASP.NET applications to both encrypt/decrypt and sign/verify sensitive data, to ensure data integrity and confidentiality.
  • For example, it's used to verify that the ViewState data sent from your browser hasn't been tampered with before the server processes it.
  • Machine keys are extremely valuable and should be protected, because if an attacker has these keys, they can essentially forge data that the server will blindly accept as legitimate (like having the master key to a building).
  • RCE (Remote Code Execution): A cyberattack where a threat actor remotely executes commands on a victim's machine.
  • It is one of the most severe types of attacks, as it grants the attacker direct control over a compromised server, where they can install malware, steal data, alter configurations, or use the server as a jumping-off point for further attacks.
  • Supply Chain Attack: A cyberattack that targets an organization by first compromising a less secure element in its broader network or software "supply chain" to gain indirect access to the ultimate target. These types of attacks are the hardest to protect from and have some of the farthest-reaching impact.
  • For example, if a hacker wanted to target a specific company, they might try to exploit their Managed Service Provider's (MSP's) remote access vendor, gaining access to the MSP's data and all their customers' devices (including the targeted company).

The Attack in a Nutshell: Putting it All Together

This particular vulnerability (CVE-2025-3935) reportedly allowed RCE by exploiting ViewState code injection.
One of the easiest and most impactful attacks hackers can use a machine key for is to run an RCE attack by exploiting ViewState, as it is often the most direct path to taking over a server.

Here's how it works:

  1. A hacker exploits ViewState by sending a web request to the web application server. In this request, they replace the legitimate ViewState payload with their own malicious payload that has embedded instructions to run their RCE attack.
  2. For example, they could change the ViewState value from saying "keep this checkbox checked" to a command that says "download this malicious code and execute it.”
  3. Normally, ViewState is designed to prevent tampering. If an attacker tries to modify the ViewState data, the server would detect the tampered signature (because they don't have the machine key to generate a valid one) and reject the request.
  4. However, if a hacker is able to get access to the machine key, they could use these stolen keys to make their malicious payload appear legitimate. This means that when the server processes the ViewState, it will trust the forged instructions, and execute the malicious code, giving the attacker control over the server.

Why This Matters (And Why Traditional Defenses Might Fall Short)

This type of machine key compromise leading to RCE is particularly dangerous for several reasons:

  • Bypasses Traditional Antivirus: Since the malicious activity is performed by the server's own legitimate code (just used in an unintended way), it can be harder for antivirus or traditional signature-based detection systems to spot. The attack uses trusted components of the .NET framework, making it seem like normal application behavior.
  • Potential for Broad Access: Ideally, each application (or even each customer's instance within a cloud environment) would have a unique machine key. However, if a cloud provider (or an on-premise multi-application server) uses a single, shared machine key across many instances or tenants, then compromising that one key gives an attacker potential access to all of those instances.
  • High Risk of Supply Chain Attacks (Particularly for Remote Access Tools): In the instance of the ConnectWise breach, the ramifications can be particularly severe. By exploiting ConnectWise's servers, attackers have the potential to gain unrestricted access to all the endpoints managed by ConnectWise's customers, using ScreenConnect's functionality to push scripts or remotely control them. This turns a single breach into a cascading compromise, affecting not only ConnectWise's server, but potentially thousands of their customers, and even their customers' clients.

How Attackers Get the Master Key

Attackers primarily gain access to machine keys through methods like:

  • Hacking the Server: By gaining initial access to the server's file system through other vulnerabilities (e.g., file inclusion, weak credentials, SQL injection).
  • Guessing Weak Keys: If developers use predictable or default machine key values.
  • Public Exposure: Microsoft has even noted that over 3,000 machine keys have been inadvertently exposed in public code repositories.

The ConnectWise Incident: A Case Study in Supply Chain Risk

The ConnectWise ScreenConnect breach is not the first time that machine keys have been exploited for RCE attacks. Examples go back years, but there has been a renewed focus on these attacks recently. Public reporting provides the following:

Timeline of Events:

  • December 2024: Microsoft Threat Intelligence observed limited activity by an unattributed threat actor using a publicly available, static ASP.NET machine key to inject malicious code
  • Feb 2025:
    • Microsoft reveals that they have found 3,000 machine keys exposed publicly and begins warning against the dangers of publicly exposed keys.
    • Cybersecurity experts identify an alarming trend of cybercriminals exploiting ConnectWise ScreenConnect to establish persistent access to compromised systems. It’s not confirmed if this was the result of the ViewState vulnerability.
  • April 2025: ConnectWise releases a patch that disables ViewState and removes any dependency on it. They assign the vulnerability (tracked as CVE-2025-3935) a Priority 1 rating, indicating it is either being actively targeted or at high risk of exploitation, stating that the vulnerability could be exploited for a ViewState code injection attack.
  • May 2025 - ConnectWise reveals "suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers." They connected this attack to the April 2025 vulnerability. While they don't disclose when the breach occurred, affected customers report the attack went as far back as November 2024. It's not confirmed how exactly the attackers gained access to ConnectWise's machine keys.

While the exact root cause of the ConnectWise breach remains unclear, the incident illustrates how powerful remote access tools, if compromised, can enable lateral movement across multiple environments (also known as a Supply Chain Attack). In fact, in 2024 another ConnectWise vulnerability was exploited for this exact kind of attack. Companies that make remote management technologies and have large MSP customer bases are especially valuable targets, since, by their nature, they’re built to access a wide range of devices across many different companies.

The Game Changer: A Solution Built on Zero Trust Principals

Could the impact of this attack on customers have been prevented? It's complicated. While self-hosting ScreenConnect offers some control, it shifts the patching burden to the customer and opens up another world of risks. The real game-changer lies in a different approach: Zero Trust.

Here's how Zero Trust can change the game:

  • The Core Principle: Instead of trusting implicitly inside the network perimeter, Zero Trust operates on the principle of "never trust, always verify." Every user, device, application, and data flow must be authenticated and authorized.
  • Zero Trust Architecture in Action Against This Attack:
    • With Zero Trust, each sensitive action—such as starting a remote control session or pushing out a script— should require the technician to enter a secondary key to authenticate actions.
    • This signature key would be verified at the affected device level, and, critically, would not be stored by the remote access tool itself.
    • In this instance, while Zero Trust would not have stopped the ConnectWise server itself from being compromised (the initial RCE), it could have helped to reduce the blast radius and prevent the compromise from translating into unrestricted access across the environment. Even if attackers controlled ConnectWise's server, they wouldn't possess the unique device-level keys needed to authenticate to customer devices.
    • To bypass this, hackers would need to somehow push a malicious update to the agent itself to bypass the zero-trust mechanism, which would be a more sophisticated and difficult attack. In the case of an attempted Supply Chain attack, the hacker’s ability to execute commands on downstream devices would be limited, and they might aim instead for another, weaker link.

In essence, a Zero Trust framework would act as a critical segmentation and authorization layer. It is designed to prevent a compromise at the central management server from automatically cascading into a widespread compromise of all managed endpoints. It's a highly desirable security posture for remote management tools in today's interconnected world.

See the Benefits of Zero Trust in Remote Access

Protect Your Organization with Zero Trust Today

In an era of increasingly sophisticated cyber threats and supply chain vulnerabilities, relying on outdated security models is no longer an option. Zero Trust isn't just a buzzword; it's a fundamental shift in how we approach security, designed for the realities of modern attacks.

If you're looking for a endpoint management and remote access solution built with these critical principles in mind, consider LogMeIn Resolve. LogMeIn Resolve leverages Zero Trust architecture to help secure your remote support operations and protect against cascading compromises. Discover the power of proactive, verifiable security.

Ready to see what a secure management and access solution should be? Request a free trial of LogMeIn Resolve today and explore how to help strengthen your defenses against tomorrow's threats.

Billets connexes

  • image

    What is network level authentication? And how to enhance it with zero trust.

    Par Mike Gutierrez

  • image

    Remote access is a growing target: Trust no one with zero trust security

    Par Chuck Leddy

  • image

    How to perform a cybersecurity risk assessment

    Par Laura Leaver