Vulnerability intelligence

CVE-2025-10035

Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

CVSS Score

Critical

EPSS — Exploit Probability

62%

Riskier than 98% of all CVEs

Exploitation

Confirmed in the wild

Used in ransomware campaigns

Remediation

Patch available

Federal deadline 2025-10-20

CISA required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2025-10-20.

NVD entry Vendor patch PoC / advisory CISA KEV

2 articles across 2 outlets · first covered Apr 7, 2026 · latest Apr 7, 2026

Associated threat actors

Storm-1175

Coverage timeline

Storm-1175 Deploys Medusa Ransomware at 'High Velocity'
www.darkreading.com · Apr 7, 2026
Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks
www.infosecurity-magazine.com · Apr 7, 2026