CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Critical deserialization vulnerability in Fortra GoAnywhere MFT

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

Fortra disclosed a critical deserialization vulnerability in GoAnywhere Managed File Transfer (MFT) software (CVE-2025-10035). This flaw, with a CVSS score of 10.0, allows arbitrary command execution through a forged license response signature. The vulnerability affects systems accessible over the internet and was patched in versions 7.8.4 and 7.6.3. Fortra has not confirmed exploitation in the wild, but similar vulnerabilities in the same product were previously exploited by ransomware actors. Users are advised to update to the patched versions immediately or restrict public access to the GoAnywhere Admin Console. Fortra discovered the vulnerability during a security check on September 11, 2025. The vulnerability was identified in the License Servlet of GoAnywhere MFT. Over 470 GoAnywhere MFT instances are being monitored by the Shadowserver Foundation.

Timeline

  1. 19.09.2025 17:20 📰 1 articles · ⏱ 4h ago

    Shadowserver Foundation monitoring over 470 GoAnywhere MFT instances

    The Shadowserver Foundation is monitoring over 470 GoAnywhere MFT instances, though it is unclear how many have been patched or have their admin console exposed online.

    Show sources
    Open in new tab
  2. 19.09.2025 17:12 📰 2 articles · ⏱ 4h ago

    Critical deserialization vulnerability in GoAnywhere MFT disclosed and patched

    Fortra disclosed a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw, with a CVSS score of 10.0, allows arbitrary command execution through a forged license response signature. The vulnerability affects systems accessible over the internet and was patched in versions 7.8.4 and 7.6.3. Fortra has not confirmed exploitation in the wild, but similar vulnerabilities in the same product were previously exploited by ransomware actors. Fortra discovered the vulnerability during a security check on September 11, 2025. The vulnerability was identified in the License Servlet of GoAnywhere MFT.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malware exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428

Two sets of malware have been discovered in an unnamed organization's network following the exploitation of vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities were exploited around May 15, 2025, to gain access to the server running EPMM. This allowed attackers to execute arbitrary code, collect system information, download malicious files, and exfiltrate data. The malware sets included loaders that enabled persistence by injecting and running arbitrary code on the compromised server. The attacks leveraged two vulnerabilities: an authentication bypass (CVE-2025-4427) and a remote code execution flaw (CVE-2025-4428). The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0. The attackers targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests to send malicious remote commands. The malware sets included distinct loaders with the same name, and malicious listeners for injecting and running arbitrary code. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. CISA provided detailed indicators of compromise (IOCs), YARA rules, and a SIGMA rule to help organizations detect such attacks. CISA recommends patching affected Ivanti EPMM immediately and treating mobile device management (MDM) systems as high-value assets (HVAs).

Open in new tab

Critical Remote Code Execution Vulnerability in WatchGuard Firebox Firewalls

WatchGuard has patched a critical remote code execution vulnerability in Firebox firewalls. The flaw, CVE-2025-9242, is an out-of-bounds write issue affecting devices running specific versions of Fireware OS. Exploitation can lead to remote code execution on vulnerable devices configured to use IKEv2 VPN. The vulnerability impacts Firebox firewalls running Fireware OS 11.x, 12.x, and 2025.1. The flaw is exploitable if the firewalls are configured to use IKEv2 VPN, and devices may remain vulnerable even if the configurations have been deleted. WatchGuard has provided patches and a temporary workaround for affected systems. The vulnerability is not yet exploited in the wild, but administrators are advised to update their devices promptly.

Open in new tab

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Open in new tab

CISA Defunding and Dismantling Affects Cybersecurity Response

The Cybersecurity and Infrastructure Security Agency (CISA) is being defunded and dismantled, jeopardizing the timely identification and mitigation of cyber vulnerabilities. This development leaves organizations more vulnerable to zero-day exploits and delays in response times. CISA's role in coordinating vulnerability information and providing detailed advisories is crucial for accelerating the discovery and resolution of security issues. CISA's partnership with the Center for Internet Security has ended, and over a hundred employees have been laid off. The Common Vulnerabilities and Exposures (CVE) program, funded through CISA, was extended but faces an uncertain future. The Cybersecurity Information Sharing Act of 2015 is up for renewal, with no clear indication of its future. The defunding and dismantling of CISA will increase the risk of exploitation for businesses and their customers, as organizations will have to rely on their own resources or public disclosures to identify vulnerabilities. This delay can leave systems exposed to attacks for longer periods.

Open in new tab

Active exploitation of CVE-2025-5086 in DELMIA Apriso

CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.

Open in new tab