Fortra GoAnywhere MFT security update (CVE-2025-10035)
Security Patch Release
Summary
Hide ▲
Show ▼
CVE-2025-10035 in Fortra GoAnywhere Managed File Transfer (MFT) is a critical deserialization flaw in the License Servlet that can enable unauthenticated command injection on systems with an admin console exposed to the public internet. Fortra said it found potentially suspicious activity after a report on September 11, 2025, notified affected on-premises customers and law enforcement, and released a hotfix for 7.6.x, 7.7.x, and 7.8.x the next day, followed by full patched releases 7.6.3 and 7.8.4 on September 15. Fortra also said it has received a limited number of reports of unauthorized activity, while Microsoft tied exploitation to Storm-1175 and Medusa ransomware.
Cases
Related Happenings
Fortinet security patch release for CVE-2026-44277
Security Patch Release
First: 12.05.2026 21:23
Last: 12.05.2026 21:23
Sources 1
About this happening:
Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...
Fortinet security patch release for CVE-2026-44277
Security Patch ReleaseAbout this happening: Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...
Linux kernel Dirty Frag patch release (CVE-2026-43284, CVE-2026-43500)
Security Patch Release
First: 11.05.2026 17:30
Last: 11.05.2026 17:30
Sources 1
About this happening:
**Major Linux distributions** are rolling out fixes for **Dirty Frag**, the **Linux kernel** patch release that covers **CVE-2026-43284** and **CVE-2026-43500**. The update matter...
Linux kernel Dirty Frag patch release (CVE-2026-43284, CVE-2026-43500)
Security Patch ReleaseAbout this happening: **Major Linux distributions** are rolling out fixes for **Dirty Frag**, the **Linux kernel** patch release that covers **CVE-2026-43284** and **CVE-2026-43500**. The update matter...
Microsoft Defender BlueHammer (CVE-2026-33825) Patch Tuesday update
Security Patch Release
First: 16.04.2026 23:19
Last: 16.04.2026 23:19
Sources 1
About this happening:
**Microsoft** shipped a **Patch Tuesday** fix for **CVE-2026-33825**, a **Microsoft Defender** local-privilege-escalation flaw that can lead to **SYSTEM** access. The update narro...
Microsoft Defender BlueHammer (CVE-2026-33825) Patch Tuesday update
Security Patch ReleaseAbout this happening: **Microsoft** shipped a **Patch Tuesday** fix for **CVE-2026-33825**, a **Microsoft Defender** local-privilege-escalation flaw that can lead to **SYSTEM** access. The update narro...
Microsoft April 2026 Patch Tuesday security update (165 CVEs)
Security Patch Release
First: 15.04.2026 00:22
Last: 15.04.2026 00:22
Sources 1
About this happening:
**Microsoft** shipped **April 2026 Patch Tuesday** updates covering **165 CVEs**, including an **actively exploited zero-day** and a **publicly disclosed** flaw, creating immediat...
Microsoft April 2026 Patch Tuesday security update (165 CVEs)
Security Patch ReleaseAbout this happening: **Microsoft** shipped **April 2026 Patch Tuesday** updates covering **165 CVEs**, including an **actively exploited zero-day** and a **publicly disclosed** flaw, creating immediat...
Microsoft April 2026 Patch Tuesday security updates (167 flaws)
Security Patch Release
First: 14.04.2026 20:41
Last: 14.04.2026 20:41
Sources 1
About this happening:
Microsoft's **April 2026 Patch Tuesday** ships **security updates** for **167 flaws**, including **2 zero-days**, reducing exposure across widely used Microsoft software. The rele...
Microsoft April 2026 Patch Tuesday security updates (167 flaws)
Security Patch ReleaseAbout this happening: Microsoft's **April 2026 Patch Tuesday** ships **security updates** for **167 flaws**, including **2 zero-days**, reducing exposure across widely used Microsoft software. The rele...
Timeline
-
19.09.2025 17:20 3 articles · 8mo ago
Fortra identifies GoAnywhere MFT License Servlet flaw
Technical Analysis UpdateDuring a security check on September 11, 2025, Fortra identified that GoAnywhere customers with an internet-accessible Admin Console could be exposed to unauthorized third-party access through CVE-2025-10035, a maximum-severity deserialization flaw in the License Servlet that can enable remote command injection.
Show sources
- Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet — www.bleepingcomputer.com — 19.09.2025 17:20
- Microsoft: Critical GoAnywhere Bug Exploited in Medusa Ransomware Campaign — www.infosecurity-magazine.com — 07.10.2025 11:45
- From Detection to Patch: Fortra Reveals Full Timeline of CVE-2025-10035 Exploitation — thehackernews.com — 10.10.2025 14:42
-
19.09.2025 17:20 4 articles · 8mo ago
Fortra releases GoAnywhere MFT patches for CVE-2025-10035
Mitigation Patch UpdateOn September 19, 2025, Fortra released GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 to patch CVE-2025-10035 and advised administrators to remove public access from the GoAnywhere Admin Console if they cannot upgrade immediately, because exploitation is highly dependent on systems being externally exposed to the internet.
Show sources
- Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet — www.bleepingcomputer.com — 19.09.2025 17:20
- Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet — www.bleepingcomputer.com — 19.09.2025 17:20
- Patch Now: Max-Severity Fortra GoAnywhere Bug Allows Command Injection — www.darkreading.com — 19.09.2025 23:35
- Maximum severity GoAnywhere MFT flaw exploited as zero day — www.bleepingcomputer.com — 26.09.2025 16:50