Exploitation of CVE-2025-10035 in GoAnywhere Managed File Transfer: Critical Vulnerability Leads to Ransomware Attacks
A critical security flaw, CVE-2025-10035, in Fortra’s GoAnywhere Managed File Transfer (MFT) product has been actively exploited since September 11, 2025, resulting in unauthorized activity and ransomware deployments. The vulnerability allows for unauthenticated remote command injection due to a deserialization issue in the License Servlet. Fortra has confirmed targeted attacks and is urging immediate mitigations, especially for customers with publicly accessible admin consoles.
Discovery and Incident Timeline
The initial detection occurred when a customer reported suspicious activity on September 11, prompting Fortra to investigate and identify a deserialization flaw permitting command injection in the License Servlet. Fortra quickly notified customers whose admin consoles were exposed to the public internet and alerted law enforcement authorities the same day.
Patching and Mitigation Measures
Fortra provided hotfixes for vulnerable software versions within 24 hours, and on September 15, full releases integrating the security patch were made available. To limit risk, the company advised customers to restrict admin console access, enable rigorous monitoring, and update all installations to patched versions.
Ransomware Campaign by Storm-1175
Microsoft researchers identified the cybercrime group Storm-1175 as exploiting CVE-2025-10035 to deploy Medusa ransomware across exposed targets. The attackers leveraged a complex deserialization exploit but the mechanism for obtaining the required cryptographic keys has not been publicly clarified.
Technical Analysis: Command Injection via Deserialization
The vulnerability involves unsafe deserialization of untrusted data, enabling attackers to execute arbitrary system commands without authentication checks. This flaw exists only in the License Servlet component of GoAnywhere MFT and is restricted to scenarios where the admin console is internet-accessible. Other components of the GoAnywhere MFT architecture remain unaffected.
Industry Response and Recommendations
Security experts have underscored the seriousness of the exploit, especially given successful ransomware incidents following initial exploitation. Fortra’s transparency in confirming unauthorized access reinforces the urgent need for rapid patching, network segmentation, and vigilant monitoring for all exposed GoAnywhere MFT deployments.
Oracle E-Business Suite Faces Extortion Campaigns After Zero-Day Exploitation
A widespread extortion campaign is targeting Oracle E-Business Suite customers, with hackers linked to the Clop ransomware group sending threatening emails to corporate executives. Attackers claim to possess sensitive data pilfered through exploitation of vulnerabilities, likely those disclosed in Oracle’s July 2025 critical patch update.
Attack Vector: Zero-Day Vulnerability Exploitation
Researchers from Mandiant attribute the campaign to a vulnerability chain involving a zero-day flaw, breached shortly after Oracle’s latest patch release. Precise technical details about the exploited vulnerability remain undisclosed, but victims receive personalized extortion emails referencing specific data purportedly exfiltrated from E-Business Suite applications.
Scope and Victim Profile
The campaign appears to target large enterprises, with attackers focusing on high-ranking executives and business-critical operational data. This approach suggests reconnaissance and lateral access achieved through initial network compromise, likely through unpatched Oracle application nodes.
Technical Insights and Mitigation Guidance
While Oracle investigates, security researchers recommend that affected organizations review all pending and applied patch statuses for Oracle E-Business Suite. Network admins are advised to monitor for anomalous data access, employ outbound traffic restrictions, and deploy advanced endpoint protection.
Red Hat Customer Data Theft Following GitLab Repository Breach
Sensitive data belonging to Red Hat customers, including major corporations such as Walmart, American Express, and HSBC, has been exposed following a breach of a GitLab repository maintained by Red Hat. Hackers accessed confidential information, raising concerns over third-party security in software supply chains.
Details of the Attack
The breach targeted a misconfigured or vulnerable repository, allowing attackers to enumerate and extract customer-specific data files. Security experts indicate the repository was inadequately protected, and the stolen information includes credentials, support case details, and project metadata.
Impact and Response
Red Hat responded by investigating the incident, notifying affected clients, and advising on resets for any potentially exposed access credentials or API keys. The breach has underscored the importance of continuous monitoring, hardening repository configurations, and restricting access to critical source code and metadata stores.
Supply Chain Security Lessons
The event highlights risks inherent to interconnected cloud and DevOps ecosystems, emphasizing the need for third-party risk assessments and robust access control mechanisms. Organizations are encouraged to audit their code repositories and implement automated anomaly detection for file access and credential use.
Microsoft Outlook Blocks Inline SVG Images to Prevent Phishing Attacks
In a tactical update to combat phishing threats, Microsoft is blocking inline SVG (Scalable Vector Graphics) images in Outlook for Web and the new Outlook for Windows, as of October 2025. This measure responds to a spike in SVG-based phishing attacks exploiting vector graphics to deliver malicious payloads and bypass image filters.
Background: SVG as a Phishing Vector
Attackers have shifted from conventional image attachments to embedding malicious JavaScript and redirects in SVG files. These files could trigger credential theft or malware download when viewed within email clients that automatically render images.
Technical Update and Security Implications
The new policy disables automatic rendering of SVG images inline and prompts users before downloading or previewing SVG content. The update applies to both consumer and enterprise deployments, aiming to reduce risk without significantly impacting productivity.
Recommendations for Administrators
Organizations should revise email filtering policies to block SVG attachments and educate users about image-based social engineering. Administrators can use DLP (Data Loss Prevention) mechanisms to detect attempts to transmit SVG files externally or internally, further reducing attack surface.