Vulnerability Campaign ×2 Exploitation Wave Security Patch Release

GoAnywhere MFT exploitation after CVE-2025-10035

Updated 07.04.2026 23:15

Case score 73

Case score 73 Members 5 Latest activity 07.04.2026 23:15 Active exploitation Patch available CVSS: 10.0 Critical

Active exploitation Patch available CVSS: 10.0 Critical

Members 5 First seen 19.09.2025 17:20 Last seen 07.04.2026 13:02 Updated 07.04.2026 23:15

Overview

**Fortra GoAnywhere MFT** exploitation of **CVE-2025-10035** moved quickly from vendor investigation into an active ransomware story. The flaw is a critical deserialization issue in the **License Servlet** that matters most when the **Admin Console** is exposed to the public internet, and Microsoft tied abuse of it to **Storm-1175** and **Medusa ransomware**. Fortra said it investigated beginning on September 11, 2025, notified affected customers and law enforcement, and released patched versions later in September. Available evidence does not quantify the full scope of compromise, but it does show enough unauthorized activity and post-exploitation tradecraft to keep exposed deployments on urgent watch.

Key facts

**CVE-2025-10035** is a critical deserialization flaw in **GoAnywhere MFT** that can lead to unauthenticated command injection through the **License Servlet**.
Fortra said it began investigating on September 11, 2025 and later released patched **GoAnywhere MFT** versions for the flaw.
The risk is concentrated in deployments whose **Admin Console** is reachable from the public internet; other web components are not affected.
Microsoft said **Storm-1175** used **CVE-2025-10035** to deploy **Medusa ransomware**.
Microsoft described **Storm-1175** as a fast-moving extortion group targeting healthcare, education, professional services, and finance organizations in Australia, the United Kingdom, and the United States.
Post-intrusion activity included **SimpleHelp**, **MeshAgent**, **mstsc.exe**, **Rclone**, and a **Cloudflare tunnel**.
Available evidence does not quantify the number of affected organizations, although Fortra said it received a limited number of reports of unauthorized activity.

Malware context

4 families · 3 tools

Tools

MeshAgent Rclone SimpleHelp

Signals

13 derived

Exploitation

CVSS 10.0 Critical Exploitation Active exploitation

CVEs/products

CVE

Victims/regions

Sector healthcare Victim region United States Victim region Australia Sector education Victim region United Kingdom

Remediation

Remediation Patch available

Threat context

Ransomware Tooling Actor Medusa Actor Storm-1175

Member happenings

5 related

Vulnerability GoAnywhere MFT License Servlet deserialization flaw (CVE-2025-10035)

Updated 19.09.2025 17:20 Lead Contribution 66

Data Status Exposed/Unsecured CVSS 10.0 Critical Patch Patch Available

**Fortra GoAnywhere MFT** vulnerability **CVE-2025-10035** is a **critical deserialization flaw** in the **License Servlet** that can lead to **command injection** and is assessed as **actively exploited since at least September 11, 2025**. **Fortra** said the risk is limited to systems with the **Admin Console exposed to the public internet**, notified affected on-premises customers and **law enforcement**, and released fixes in **September 2025**. **Microsoft** linked exploitation to **Storm-1175** and said the flaw was used to deploy **Medusa ransomware**.

View happening

Exploitation Wave Fortra GoAnywhere MFT CVE-2025-10035 active exploitation wave

Updated 07.10.2025 11:45 Scoring Support Contribution 2

Exploitation Active Exploitation CVSS 10.0 Critical Patch Patch Available

**CVE-2025-10035** in **Fortra GoAnywhere Managed File Transfer (MFT)** is being **actively exploited** in **ransomware attacks** against systems with the **admin console exposed to the public internet**. **Fortra** said the flaw is a **critical deserialization vulnerability** in the **License Servlet** and confirmed **unauthorized activity** tied to the issue, while **Microsoft** linked the abuse to **Storm-1175** and **Medusa ransomware**. The vendor investigated starting **September 11, 2025**, notified affected on-premises customers and law enforcement, and released a **hotfix on September 12** followed by full patched versions on **September 15**.

View happening

Campaign Storm-1175 high-tempo Medusa ransomware campaign

Updated 07.04.2026 13:02 Scoring Support Contribution 2

Campaign Active Objective Financial Extortion

**Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the window. Microsoft tied the group to **CVE-2025-10035** in **Fortra GoAnywhere MFT**, a **critical deserialization bug** that can enable **unauthenticated command injection** and potential **RCE**, with activity observed since **September 10-11, 2025**. The campaign has affected **healthcare**, **education**, **professional services**, and **finance** organizations in **Australia**, the **UK**, and the **US**, and post-exploitation activity has included **SimpleHelp**, **MeshAgent**, **mstsc.exe**, **Rclone**, and **Cloudflare tunnel** usage.

View happening

Campaign Storm-1175 high-velocity exploit campaign

Updated 06.04.2026 19:56 Scoring Support Contribution 2

Campaign Active Objective Financial Extortion

**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypted outages. The group is now tied to **CVE-2025-10035** in **Fortra GoAnywhere Managed File Transfer (MFT)**, a **critical deserialization flaw** with **CVSS 10.0** that Microsoft says is being **actively exploited** in ransomware attacks. Microsoft says **Storm-1175** first used the flaw as a **zero day** on **September 11**, and Fortra patched it on **September 18**. Post-exploitation activity included **SimpleHelp**, **MeshAgent**, **mstsc.exe**, **Rclone**, lateral movement, and a **Cloudflare tunnel** for command-and-control.

View happening

Security Patch Release Fortra GoAnywhere MFT security update (CVE-2025-10035)

Updated 19.09.2025 17:20 Context

Urgency Immediate CVSS 10.0 Critical Patch Patch Available

**CVE-2025-10035** in **Fortra GoAnywhere Managed File Transfer (MFT)** is a **critical deserialization flaw** in the **License Servlet** that can enable **unauthenticated command injection** on systems with an **admin console exposed to the public internet**. Fortra said it found potentially suspicious activity after a report on **September 11, 2025**, notified affected on-premises customers and law enforcement, and released a **hotfix** for **7.6.x, 7.7.x, and 7.8.x** the next day, followed by full patched releases **7.6.3** and **7.8.4** on **September 15**. Fortra also said it has received a **limited number of reports** of unauthorized activity, while Microsoft tied exploitation to **Storm-1175** and **Medusa ransomware**.

View happening