Find notable cyber news and cases, enriched with sources, timelines, and signals.

Fortra GoAnywhere MFT CVE-2025-10035 active exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 48
2 unique sources, 2 articles

Summary

Hide ▲

CVE-2025-10035 in Fortra GoAnywhere Managed File Transfer (MFT) is being actively exploited in ransomware attacks against systems with the admin console exposed to the public internet. Fortra said the flaw is a critical deserialization vulnerability in the License Servlet and confirmed unauthorized activity tied to the issue, while Microsoft linked the abuse to Storm-1175 and Medusa ransomware. The vendor investigated starting September 11, 2025, notified affected on-premises customers and law enforcement, and released a hotfix on September 12 followed by full patched versions on September 15.

Cases

Related Happenings

FortiClient EMS CVE-2026-35616 exploitation wave

Exploitation Wave
H score56 First: 28.05.2026 18:26 Last: 28.05.2026 18:26 Sources 1

About this happening: **CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...

Grafana Labs Says GitHub hit by cyberattack

Incident
H score70 First: 17.05.2026 10:13 Last: 17.05.2026 10:13 Sources 1

About this happening: A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...

OpenAI launches Daybreak cybersecurity initiative for AI-powered vulnerability detection and patch validation

Security Tool/Service
H score25 First: 12.05.2026 09:55 Last: 12.05.2026 09:55 Sources 1

About this happening: OpenAI's **Daybreak** launch adds an **AI-powered cybersecurity service** for **vulnerability detection** and **patch validation**, helping organizations fix flaws before attacker...

MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)

Vulnerability
H score53 First: 05.05.2026 14:56 Last: 05.05.2026 14:56 Sources 1

About this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...

Tropic Trooper trojanized SumatraPDF remote-access campaign

Campaign
H score34 First: 24.04.2026 12:29 Last: 24.04.2026 12:29 Sources 1

About this happening: **Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...

Timeline

  1. 07.10.2025 11:45 1 articles · 9mo ago

    Storm-1175 zero-day exploitation of GoAnywhere CVE-2025-10035

    Exploitation Observed

    Storm-1175 first exploited CVE-2025-10035 against Fortra GoAnywhere Managed File Transfer (MFT) on September 11, abusing a critical deserialization flaw in the License Servlet Admin Console to bypass signature verification and deserialize attacker-controlled objects, with command injection and potential remote code execution risk on affected systems.

    Show sources
  2. 07.10.2025 11:45 1 articles · 9mo ago

    Fortra patches GoAnywhere CVE-2025-10035

    Mitigation Patch Update

    Fortra patched CVE-2025-10035 in GoAnywhere Managed File Transfer (MFT) on September 18 after the zero-day abuse had already begun, closing the critical License Servlet Admin Console deserialization flaw that could enable attacker-controlled object deserialization, command injection, and potential remote code execution.

    Show sources
  3. 07.10.2025 11:45 3 articles · 9mo ago

    Microsoft warns of active GoAnywhere CVE-2025-10035 ransomware exploitation

    Initial Disclosure

    Microsoft warned on 2025-10-07 that CVE-2025-10035 in Fortra GoAnywhere Managed File Transfer (MFT) is being actively exploited in ransomware attacks, and Shadowserver reported 513 exposed GoAnywhere instances, including 363 in North America, while post-exploitation activity included SimpleHelp, MeshAgent, mstsc.exe, Rclone, a Cloudflare tunnel, and Medusa ransomware.

    Show sources