Find notable cyber news and cases, enriched with sources, timelines, and signals.
Vulnerability Campaign ×2 Exploitation Wave Security Patch Release

GoAnywhere MFT exploitation after CVE-2025-10035

Updated 07.04.2026 23:15
Case score 73
Case score 73 Members 5 Latest activity 07.04.2026 23:15
Active exploitation Patch available CVSS: 10.0 Critical
Members 5 First seen 19.09.2025 17:20 Last seen 07.04.2026 13:02 Updated 07.04.2026 23:15

Overview

**Fortra GoAnywhere MFT** exploitation of **CVE-2025-10035** moved quickly from vendor investigation into an active ransomware story. The flaw is a critical deserialization issue in the **License Servlet** that matters most when the **Admin Console** is exposed to the public internet, and Microsoft tied abuse of it to **Storm-1175** and **Medusa ransomware**. Fortra said it investigated beginning on September 11, 2025, notified affected customers and law enforcement, and released patched versions later in September. Available evidence does not quantify the full scope of compromise, but it does show enough unauthorized activity and post-exploitation tradecraft to keep exposed deployments on urgent watch.

Signals

16 derived
Impact signals
Exploitation
CVSS 10.0 Critical Exploitation Active exploitation
CVEs/products
CVE
Victims/regions
Sector healthcare Victim region United States Victim region Australia Sector education Victim region United Kingdom
Remediation
Urgency Immediate Remediation Patch available
Status
Campaign status Active
Threat context
Ransomware Tooling Actor Medusa Actor Storm-1175
Data exposure
Leak status Exposed/Unsecured

Malware context

4 families · 3 tools
Tools
MeshAgent Rclone SimpleHelp

Member happenings

5 related
Vulnerability GoAnywhere MFT License Servlet deserialization flaw (CVE-2025-10035)
Updated 19.09.2025 17:20 Lead Contribution 66
CVSS 10.0 Critical Data Status Exposed/Unsecured Patch Patch Available

**Fortra GoAnywhere MFT** vulnerability **CVE-2025-10035** is a **critical deserialization flaw** in the **License Servlet** that can lead to **command injection** and is assessed as **actively exploited since at least September 11, 2025**. **Fortra** said the risk is limited to systems with the **Admin Console exposed to the public internet**, notified affected on-premises customers and **law enforcement**, and released fixes in **September 2025**. **Microsoft** linked exploitation to **Storm-1175** and said the flaw was used to deploy **Medusa ransomware**.

Exploitation Wave Fortra GoAnywhere MFT CVE-2025-10035 active exploitation wave
Updated 07.10.2025 11:45 Scoring Support Contribution 2
Exploitation Active Exploitation CVSS 10.0 Critical Patch Patch Available

**CVE-2025-10035** in **Fortra GoAnywhere Managed File Transfer (MFT)** is being **actively exploited** in **ransomware attacks** against systems with the **admin console exposed to the public internet**. **Fortra** said the flaw is a **critical deserialization vulnerability** in the **License Servlet** and confirmed **unauthorized activity** tied to the issue, while **Microsoft** linked the abuse to **Storm-1175** and **Medusa ransomware**. The vendor investigated starting **September 11, 2025**, notified affected on-premises customers and law enforcement, and released a **hotfix on September 12** followed by full patched versions on **September 15**.

Campaign Storm-1175 high-tempo Medusa ransomware campaign
Updated 07.04.2026 13:02 Scoring Support Contribution 2
Objective Financial Extortion Campaign Active

**Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the window. Microsoft tied the group to **CVE-2025-10035** in **Fortra GoAnywhere MFT**, a **critical deserialization bug** that can enable **unauthenticated command injection** and potential **RCE**, with activity observed since **September 10-11, 2025**. The campaign has affected **healthcare**, **education**, **professional services**, and **finance** organizations in **Australia**, the **UK**, and the **US**, and post-exploitation activity has included **SimpleHelp**, **MeshAgent**, **mstsc.exe**, **Rclone**, and **Cloudflare tunnel** usage.

Campaign Storm-1175 high-velocity exploit campaign
Updated 06.04.2026 19:56 Scoring Support Contribution 2
Objective Financial Extortion Campaign Active Patch Patch Available

**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypted outages. The group is now tied to **CVE-2025-10035** in **Fortra GoAnywhere Managed File Transfer (MFT)**, a **critical deserialization flaw** with **CVSS 10.0** that Microsoft says is being **actively exploited** in ransomware attacks. Microsoft says **Storm-1175** first used the flaw as a **zero day** on **September 11**, and Fortra patched it on **September 18**. Post-exploitation activity included **SimpleHelp**, **MeshAgent**, **mstsc.exe**, **Rclone**, lateral movement, and a **Cloudflare tunnel** for command-and-control.

Security Patch Release Fortra GoAnywhere MFT security update (CVE-2025-10035)
Updated 19.09.2025 17:20 Context
CVSS 10.0 Critical Urgency Immediate Patch Patch Available

**CVE-2025-10035** in **Fortra GoAnywhere Managed File Transfer (MFT)** is a **critical deserialization flaw** in the **License Servlet** that can enable **unauthenticated command injection** on systems with an **admin console exposed to the public internet**. Fortra said it found potentially suspicious activity after a report on **September 11, 2025**, notified affected on-premises customers and law enforcement, and released a **hotfix** for **7.6.x, 7.7.x, and 7.8.x** the next day, followed by full patched releases **7.6.3** and **7.8.4** on **September 15**. Fortra also said it has received a **limited number of reports** of unauthorized activity, while Microsoft tied exploitation to **Storm-1175** and **Medusa ransomware**.