CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched

First reported
Last updated
4 unique sources, 9 articles

Summary

Hide ▲

The critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT has been actively exploited by the cybercrime group Storm-1175 in Medusa ransomware attacks since at least September 11, 2025. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. Fortra has released patches in versions 7.8.4 and 7.6.3. The vulnerability was disclosed on September 18, 2025, but exploitation began a week earlier. The Shadowserver Foundation is monitoring over 513 GoAnywhere MFT instances exposed online, although the number of patched instances is unknown. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability enables an attacker to bypass signature verification by crafting a forged license response signature, allowing the deserialization of arbitrary, attacker-controlled objects. Successful exploitation could result in command injection and potential remote code execution (RCE) on the affected system. The threat actor used legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent to launch binaries following exploitation. The threat actor utilized RMM tools to establish command-and-control (C2) infrastructure and set up a Cloudflare tunnel for secure C2 communication. The deployment and execution of Rclone was observed in at least one victim environment during the exfiltration stage. Medusa ransomware has over 300 global victims in critical infrastructure sectors, including a confirmed attack on a US healthcare organization in early 2025. Fortra began investigating the vulnerability on September 11, 2025, following a customer report. Fortra contacted on-premises customers with publicly accessible admin consoles and notified law enforcement on September 11, 2025. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released on September 12, 2025. Full patches for versions 7.6.3 and 7.8.4 were released on September 15, 2025. The CVE for the vulnerability was formally published on September 18, 2025. Fortra confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. Fortra recommends restricting admin console access over the internet and enabling monitoring. watchTowr CEO and founder Benjamin Harris reiterated the need for transparency from Fortra regarding the private keys used in the exploit.

Timeline

  1. 10.10.2025 14:42 1 articles · 5d ago

    Fortra confirms unauthorized activity related to CVE-2025-10035

    Fortra has confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. The company recommends restricting admin console access over the internet and enabling monitoring to mitigate the risk. watchTowr CEO and founder Benjamin Harris called for transparency from Fortra regarding how the threat actors obtained the private keys needed to exploit the vulnerability.

    Show sources
    Open in new tab
  2. 06.10.2025 21:11 3 articles · 8d ago

    Storm-1175 exploits GoAnywhere flaw in Medusa ransomware attacks

    watchTowr CEO and Founder, Benjamin Harris, stated that organizations running GoAnywhere MFT have been under silent assault since at least September 11, 2025. watchTowr CEO and Founder, Benjamin Harris, called for transparency from Fortra regarding how threat actors obtained the private keys needed to exploit the vulnerability and why organizations were left in the dark for so long.

    Show sources
    Open in new tab
  3. 26.09.2025 12:22 4 articles · 19d ago

    Exploitation of CVE-2025-10035 in GoAnywhere MFT confirmed

    The Shadowserver Foundation is monitoring over 513 GoAnywhere instances currently exposed, with 363 located in North America.

    Show sources
    Open in new tab
  4. 19.09.2025 17:12 9 articles · 26d ago

    Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched

    The attack chain following initial access entails dropping remote monitoring and management (RMM) tools, such as SimpleHelp and MeshAgent, to maintain persistence. The threat actors have also been observed creating .jsp files within the GoAnywhere MFT directories, often at the same time as the dropped RMM tools. In the next phase, commands for user, network, and system discovery are executed, followed by leveraging mstsc.exe (i.e., Windows Remote Desktop Connection) for lateral movement across the network. The downloaded RMM tools are used for command-and-control (C2) using a Cloudflare tunnel, with Microsoft observing the use of Rclone in at least one victim environment for data exfiltration. The attack ultimately paves the way for the Medusa ransomware deployment. Fortra began investigating the vulnerability on September 11, 2025, following a customer report. Fortra contacted on-premises customers with publicly accessible admin consoles and notified law enforcement on September 11, 2025. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released on September 12, 2025. Full patches for versions 7.6.3 and 7.8.4 were released on September 15, 2025. The CVE for the vulnerability was formally published on September 18, 2025. Fortra confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. Fortra recommends restricting admin console access over the internet and enabling monitoring. watchTowr CEO and founder Benjamin Harris reiterated the need for transparency from Fortra regarding the private keys used in the exploit.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Command Injection Vulnerability in Figma MCP

A command injection vulnerability (CVE-2025-53967) in the Figma MCP server allows remote code execution. The flaw, stemming from unsanitized user input, was patched in version 0.6.3. The issue affects developers using AI-powered coding agents like Cursor. The vulnerability could be exploited by attackers on the same network or via DNS rebinding attacks. It was discovered by Imperva in July 2025 and was addressed in the latest release. The flaw resides in the 'src/utils/fetch-with-retry.ts' file, where the curl command is constructed using shell command strings, enabling potential remote code execution. The patch replaces 'child_process.exec()' with 'child_process.execFile()' and implements proper input validation. Users should upgrade to Figma MCP version 0.6.3 or higher, audit systems using vulnerable versions, and review logs for suspicious command execution patterns. There are over 15,000 MCP servers in the world, with many misconfigured and lacking authentication or access controls.

Open in new tab

Critical Redis Lua Use-After-Free Vulnerability Exploitable for Remote Code Execution

A critical vulnerability in Redis, tracked as CVE-2025-49844 and dubbed "RediShell", allows authenticated attackers to achieve remote code execution on vulnerable instances. The flaw, a 13-year-old use-after-free weakness in the Redis Lua scripting engine, affects all versions of Redis and can be exploited to gain full access to the host system. Successful exploitation can lead to data exfiltration, encryption, or lateral movement within cloud environments. The vulnerability impacts approximately 330,000 exposed Redis instances, with around 60,000 of them not requiring authentication. Patches have been released in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, and administrators are urged to update their instances immediately. Additional patches have been released for versions 7.22.2-12, 7.8.6-207, 7.4.6-272, 7.2.4-138, and 6.4.2-131. Temporary workarounds include setting an access control list (ACL) to restrict EVAL and EVALSHA commands. The vulnerability was discovered and reported by cloud security company Wiz on May 16, 2025. The flaw was jointly disclosed by Redis and Wiz on October 3, 2025. There is no evidence that the vulnerability was exploited in the wild. The flaw exploits a use-after-free (UAF) memory corruption bug, allowing attackers to escape the Lua sandbox and achieve arbitrary code execution. Wiz recommended implementing Redis authentication and network access controls, and urged organizations to prioritize patching Redis instances exposed to the Internet.

Open in new tab

UNC5174 Exploits VMware Zero-Day Privilege Escalation Since October 2024

A China-linked threat actor, UNC5174, has been exploiting a zero-day privilege escalation vulnerability in VMware products since mid-October 2024. The flaw, CVE-2025-41244, affects multiple VMware products and allows local attackers to escalate privileges to root on affected virtual machines. The vulnerability was discovered in May 2025 and patched in VMware Tools 12.4.9 and later versions. The flaw is rooted in the get_version() function, which can be exploited by placing a malicious binary in a writable directory. UNC5174 has been observed using this method to gain elevated access and execute code on compromised systems. The exact payload and nature of the attacks remain unclear. Broadcom has confirmed the patch for the vulnerability in VMware Aria Operations and VMware Tools. NVISO released a proof-of-concept exploit demonstrating privilege escalation on vulnerable VMware software. UNC5174 has been linked to previous attacks on U.S. defense contractors, UK government entities, Asian institutions, and the cybersecurity firm SentinelOne, exploiting vulnerabilities such as F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect flaw. The exploitation of CVE-2025-41244 is considered trivial, potentially benefiting multiple malware strains. NVISO identified the vulnerability in mid-May 2025 during an incident response engagement with UNC5174. Broadcom disclosed three vulnerabilities on September 29, 2025, including CVE-2025-41244. The CVSS severity rating for CVE-2025-41244 is 7.8, classified as high.

Open in new tab

ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection

A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat. Nearly 50,000 Cisco ASA and FTD appliances are vulnerable to actively exploited flaws. The vulnerabilities CVE-2025-20333 and CVE-2025-20362 enable arbitrary code execution and access to restricted URL endpoints. The Shadowserver Foundation discovered over 48,800 internet-exposed ASA and FTD instances still vulnerable to the flaws. The majority of vulnerable devices are located in the United States, followed by the United Kingdom, Japan, Germany, Russia, Canada, and Denmark. The Shadowserver Foundation's data is as of September 29, indicating a lack of response to the ongoing exploitation activity. Greynoise had warned on September 4 about suspicious scans targeting Cisco ASA devices, indicating upcoming undocumented flaws. CISA's emergency directive gave 24 hours to FCEB agencies to identify and upgrade vulnerable Cisco ASA and FTD instances. CISA advised that ASA devices reaching their end of support should be disconnected from federal networks by the end of September. The U.K. NCSC reported that the hackers deployed Line Viper shellcode loader malware and RayInitiator GRUB bootkit.

Open in new tab