Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GoAnywhere MFT License Servlet deserialization flaw (CVE-2025-10035)

Vulnerability
First reported
Last updated
Happening score
H score 66
4 unique sources, 5 articles

Summary

Hide ▲

Fortra GoAnywhere MFT vulnerability CVE-2025-10035 is a critical deserialization flaw in the License Servlet that can lead to command injection and is assessed as actively exploited since at least September 11, 2025. Fortra said the risk is limited to systems with the Admin Console exposed to the public internet, notified affected on-premises customers and law enforcement, and released fixes in September 2025. Microsoft linked exploitation to Storm-1175 and said the flaw was used to deploy Medusa ransomware.

Cases

GoAnywhere MFT exploitation after CVE-2025-10035 (5)

Related Happenings

Storm-1175 high-tempo Medusa ransomware campaign

Campaign
First: 07.04.2026 13:02 Last: 07.04.2026 13:02 Sources 1

How related: The vulnerability is CVE-2025-10035 (CVSS score: 10.0), a critical deserialization bug that could result in command injection without authentication.

About this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...

Open Happening

Storm-1175 high-velocity exploit campaign

Campaign
First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

How related: Although patched by developer Fortra on September 18, the vulnerability was originally exploited as a zero day a week earlier (September 11) by threat group Storm-1175.

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Open Happening

CISA KEV listing for Wing FTP CVE-2025-47813

Public Sector Action
First: 17.03.2026 07:23 Last: 17.03.2026 07:23 Sources 1

About this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...

Open Happening

CISA adds two Roundcube flaws to KEV catalog

Public Sector Action
First: 21.02.2026 09:21 Last: 21.02.2026 09:21 Sources 1

About this happening: **CISA** added **two Roundcube webmail flaws** to the **KEV catalog** after citing **active exploitation**, increasing urgency for federal remediation. **CVE-2025-49113** is a **C...

Open Happening

CISA KEV multi-product active exploitation wave (CVE-2020-7796)

Exploitation Wave
First: 18.02.2026 08:52 Last: 18.02.2026 08:52 Sources 1

About this happening: **CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...

Open Happening

Timeline

  1. 19.09.2025 17:20 4 articles · 8mo ago

    Fortra identifies CVE-2025-10035 in GoAnywhere MFT

    Technical Analysis Update

    During a security check on September 11, 2025, Fortra identified that GoAnywhere customers with an Admin Console accessible over the internet could face unauthorized third-party exposure from a deserialization flaw in the License Servlet, where a validly forged license response signature could let an actor deserialize an arbitrary actor-controlled object and possibly reach command injection.

    Show sources
    Open in new tab
  2. 19.09.2025 17:20 3 articles · 8mo ago

    Fortra releases GoAnywhere MFT fixes and mitigation guidance

    Mitigation Patch Update

    Fortra released GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 to patch CVE-2025-10035 and told administrators to remove public internet access from the GoAnywhere Admin Console if they cannot upgrade immediately, because exploitation is highly dependent on systems being externally exposed to the internet.

    Show sources
    Open in new tab