The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert highlighting multiple vulnerabilities currently being exploited in the wild. Among the most concerning is a recently patched flaw in ConnectWise ScreenConnect, which has been linked to remote code execution attacks. CISA is also warning about four other actively exploited bugs affecting ASUS routers and the Craft content management system.
Remote Code Execution Risk in ConnectWise ScreenConnect
The most prominent issue is tracked as CVE-2025-3935, which ConnectWise addressed on April 24. The vulnerability stems from improper authentication in the ScreenConnect platform and enables a ViewState code injection attack.
ViewState is a core component in ASP.NET Web Forms that uses base64-encoded data to retain the state of web pages and controls. If attackers gain access to a system’s machine keys, they can tamper with ViewState to execute malicious code directly on the server.
The vulnerability is particularly concerning due to its exploitation in what some believe to be a state-sponsored breach of ConnectWise. Although the vendor has not confirmed details about the method of attack, some customers have linked the incident to CVE-2025-3935. ConnectWise acknowledged that only “a very small number of ScreenConnect customers” were impacted.
CISA Flags Critical Flaws in ASUS Routers and Craft CMS
CISA’s alert also identifies four more vulnerabilities as being actively exploited:
- CVE-2021-32030 (CVSS 9.8): Allows authentication bypass in ASUS GT-AC2900 and Lyra Mini devices.
- CVE-2023-39780 (CVSS 8.8): An OS command injection flaw in ASUS RT-AX55, requiring authentication.
- CVE-2024-56145 (CVSS 9.3): A code injection vulnerability in Craft CMS that can lead to remote code execution under certain conditions.
- CVE-2025-35939 (CVSS 6.9): Allows unauthenticated clients to introduce PHP code to known file locations on Craft CMS servers.
Notably, CVE-2023-39780 has been exploited over the past several months in attacks described as highly stealthy and sophisticated. Threat actors are reportedly chaining this vulnerability with authentication bypass techniques that do not yet have a CVE designation. This chain has been used to build a botnet identified as AyySSHush, according to a recent report from GreyNoise.
Compliance Deadline for Federal Agencies
CISA has added all five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. U.S. federal agencies are required to apply vendor-provided mitigations or discontinue use of vulnerable systems no later than June 23.
This directive reinforces CISA’s ongoing focus on reducing exposure to commonly exploited flaws in widely used software and hardware. Enterprises relying on any of these platforms should assess their environments immediately and ensure patching and hardening procedures are in place.