Vulnerability
Campaign ×2
Exploitation Wave
Security Patch Release
GoAnywhere MFT exploitation after CVE-2025-10035
Updated 07.04.2026 23:15
Case score 73
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 73
- Main story score
- 66
- Related evidence lift
- +7 / 20
- Contributing updates
- 3
- Context updates
- 1
Top contributors
- Vulnerability Lead vulnerability anchor: **CVE-2025-10035** in **GoAnywhere MFT**. main
- Exploitation Wave Confirms active exploitation, public exposure conditions, and ransomware use tied to the same flaw. contributes
- Campaign Adds Microsoft’s **Storm-1175** attribution and the broader **Medusa** intrusion pattern. contributes
- Security Patch Release Patch and mitigation guidance for **CVE-2025-10035**; retained as remediation context. context
Case score 73
Members 5
Latest activity 07.04.2026 23:15
Active exploitation
Patch available
CVSS: 10.0 Critical
Members 5
First seen 19.09.2025 17:20
Last seen 07.04.2026 13:02
Updated 07.04.2026 23:15
Overview
**Fortra GoAnywhere MFT** exploitation of **CVE-2025-10035** moved quickly from vendor investigation into an active ransomware story. The flaw is a critical deserialization issue in the **License Servlet** that matters most when the **Admin Console** is exposed to the public internet, and Microsoft tied abuse of it to **Storm-1175** and **Medusa ransomware**.
Fortra said it investigated beginning on September 11, 2025, notified affected customers and law enforcement, and released patched versions later in September. Available evidence does not quantify the full scope of compromise, but it does show enough unauthorized activity and post-exploitation tradecraft to keep exposed deployments on urgent watch.
Attackers are exploiting **CVE-2025-10035** in **Fortra GoAnywhere MFT** to reach the product’s **License Servlet** on systems with an internet-exposed **Admin Console**.
Fortra said it began investigating on September 11, 2025 after a customer reported a potential issue and that the flaw was assessed as actively exploited from that point.
The vendor notified affected customers and law enforcement, then released patched versions for GoAnywhere MFT later in September.
Microsoft said **Storm-1175** used the flaw to deploy **Medusa ransomware**.
Microsoft also described Storm-1175 as a high-tempo extortion group that races patching with exploit use across healthcare, education, professional services, and finance organizations in Australia, the United Kingdom, and the United States.
In those intrusions, the group has used tools such as **SimpleHelp**, **MeshAgent**, **mstsc.exe**, **Rclone**, and a **Cloudflare tunnel** after initial access.
Fortra said the risk is concentrated in deployments whose Admin Console is reachable from the public internet, and other web-based components are not affected.
Available evidence does not quantify the total number of affected organizations, although Fortra said it received a limited number of reports of unauthorized activity.
Signals
16 derivedImpact signals
Exploitation
CVSS
10.0 Critical
Exploitation
Active exploitation
CVEs/products
CVE
Victims/regions
Sector
healthcare
Victim region
United States
Victim region
Australia
Sector
education
Victim region
United Kingdom
Remediation
Urgency
Immediate
Remediation
Patch available
Status
Campaign status
Active
Threat context
Ransomware
Tooling
Actor
Medusa
Actor
Storm-1175
Data exposure
Leak status
Exposed/Unsecured
Malware context
4 families · 3 toolsTools
MeshAgent
Rclone
SimpleHelp
Member happenings
5 related
Vulnerability
GoAnywhere MFT License Servlet deserialization flaw (CVE-2025-10035)
CVSS
10.0 Critical
Data Status
Exposed/Unsecured
Patch
Patch Available
Vulnerability
GoAnywhere MFT License Servlet deserialization flaw (CVE-2025-10035)
CVSS
10.0 Critical
Data Status
Exposed/Unsecured
Patch
Patch Available
Exploitation Wave
Fortra GoAnywhere MFT CVE-2025-10035 active exploitation wave
Exploitation
Active Exploitation
CVSS
10.0 Critical
Patch
Patch Available
Exploitation Wave
Fortra GoAnywhere MFT CVE-2025-10035 active exploitation wave
Exploitation
Active Exploitation
CVSS
10.0 Critical
Patch
Patch Available
Campaign
Storm-1175 high-tempo Medusa ransomware campaign
Objective
Financial Extortion
Campaign
Active
Campaign
Storm-1175 high-tempo Medusa ransomware campaign
Objective
Financial Extortion
Campaign
Active
Campaign
Storm-1175 high-velocity exploit campaign
Objective
Financial Extortion
Campaign
Active
Patch
Patch Available
Campaign
Storm-1175 high-velocity exploit campaign
Objective
Financial Extortion
Campaign
Active
Patch
Patch Available
Security Patch Release
Fortra GoAnywhere MFT security update (CVE-2025-10035)
CVSS
10.0 Critical
Urgency
Immediate
Patch
Patch Available
Security Patch Release
Fortra GoAnywhere MFT security update (CVE-2025-10035)
CVSS
10.0 Critical
Urgency
Immediate
Patch
Patch Available