Fortra GoAnywhere MFT CVE-2025-10035 active exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
CVE-2025-10035 in Fortra GoAnywhere Managed File Transfer (MFT) is being actively exploited in ransomware attacks against systems with the admin console exposed to the public internet. Fortra said the flaw is a critical deserialization vulnerability in the License Servlet and confirmed unauthorized activity tied to the issue, while Microsoft linked the abuse to Storm-1175 and Medusa ransomware. The vendor investigated starting September 11, 2025, notified affected on-premises customers and law enforcement, and released a hotfix on September 12 followed by full patched versions on September 15.
Cases
Related Happenings
Grafana Labs Says GitHub hit by cyberattack
Incident
First: 17.05.2026 10:13
Last: 17.05.2026 10:13
Sources 1
About this happening:
A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Grafana Labs Says GitHub hit by cyberattack
IncidentAbout this happening: A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)
Vulnerability
First: 05.05.2026 14:56
Last: 05.05.2026 14:56
Sources 1
About this happening:
**CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...
MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)
VulnerabilityAbout this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...
Tropic Trooper trojanized SumatraPDF remote-access campaign
Campaign
First: 24.04.2026 12:29
Last: 24.04.2026 12:29
Sources 1
About this happening:
**Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...
Tropic Trooper trojanized SumatraPDF remote-access campaign
CampaignAbout this happening: **Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...
Storm-1175 high-tempo Medusa ransomware campaign
Campaign
First: 07.04.2026 13:02
Last: 07.04.2026 13:02
Sources 1
About this happening:
**Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Storm-1175 high-tempo Medusa ransomware campaign
CampaignAbout this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)
Security Patch Release
First: 07.04.2026 12:26
Last: 07.04.2026 12:26
Sources 1
About this happening:
**Fortinet** released an **emergency hotfix** for **FortiClient Enterprise Management Server (EMS)** after confirming **active exploitation** of **CVE-2026-35616**, a critical fla...
Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)
Security Patch ReleaseAbout this happening: **Fortinet** released an **emergency hotfix** for **FortiClient Enterprise Management Server (EMS)** after confirming **active exploitation** of **CVE-2026-35616**, a critical fla...
Timeline
-
07.10.2025 11:45 1 articles · 7mo ago
Storm-1175 zero-day exploitation of GoAnywhere CVE-2025-10035
Exploitation ObservedStorm-1175 first exploited CVE-2025-10035 against Fortra GoAnywhere Managed File Transfer (MFT) on September 11, abusing a critical deserialization flaw in the License Servlet Admin Console to bypass signature verification and deserialize attacker-controlled objects, with command injection and potential remote code execution risk on affected systems.
Show sources
- Microsoft: Critical GoAnywhere Bug Exploited in Medusa Ransomware Campaign — www.infosecurity-magazine.com — 07.10.2025 11:45
-
07.10.2025 11:45 1 articles · 7mo ago
Fortra patches GoAnywhere CVE-2025-10035
Mitigation Patch UpdateFortra patched CVE-2025-10035 in GoAnywhere Managed File Transfer (MFT) on September 18 after the zero-day abuse had already begun, closing the critical License Servlet Admin Console deserialization flaw that could enable attacker-controlled object deserialization, command injection, and potential remote code execution.
Show sources
- Microsoft: Critical GoAnywhere Bug Exploited in Medusa Ransomware Campaign — www.infosecurity-magazine.com — 07.10.2025 11:45
-
07.10.2025 11:45 3 articles · 7mo ago
Microsoft warns of active GoAnywhere CVE-2025-10035 ransomware exploitation
Initial DisclosureMicrosoft warned on 2025-10-07 that CVE-2025-10035 in Fortra GoAnywhere Managed File Transfer (MFT) is being actively exploited in ransomware attacks, and Shadowserver reported 513 exposed GoAnywhere instances, including 363 in North America, while post-exploitation activity included SimpleHelp, MeshAgent, mstsc.exe, Rclone, a Cloudflare tunnel, and Medusa ransomware.
Show sources
- Microsoft: Critical GoAnywhere Bug Exploited in Medusa Ransomware Campaign — www.infosecurity-magazine.com — 07.10.2025 11:45
- Microsoft: Critical GoAnywhere Bug Exploited in Medusa Ransomware Campaign — www.infosecurity-magazine.com — 07.10.2025 11:45
- From Detection to Patch: Fortra Reveals Full Timeline of CVE-2025-10035 Exploitation — thehackernews.com — 10.10.2025 14:42