#deserialization-rce
#deserialization-rce

[ follow ]

Alert over Medusa ransomware attacks targeting Fortra MFT | Computer Weekly

CVE-2025-10035 is a critical deserialisation flaw - bearing a CVSS score of 10.0 - in the GoAnywhere MFT licence servlet. Left unaddressed, it enables a threat actor who has obtained a validly forged licence response signature to deserialise an arbitrary, actor-controlled object. Early reports suggest that an attacker does not need to authenticate if they can craft or intercept a valid licence response, making internet-exposed instances of GoAnywhere particularly vulnerable. Ultimately, exploitation can lead to command injection and remote code execution.

Information security

fromTheregister

3 weeks ago

SolarWinds patches critical RCE - for the third time

SolarWinds issued a third hotfix for a critical (9.8) unauthenticated deserialization RCE in Web Help Desk, which remains patch-bypassed and likely exploitable.

Information security

fromThe Hacker News

3 weeks ago

SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw

Critical unauthenticated deserialization vulnerability CVE-2025-26399 in SolarWinds Web Help Desk allows remote code execution as SYSTEM; update to 12.8.7 HF1.

[ Load more ]

#deserialization-rce#deserialization-rce

Alert over Medusa ransomware attacks targeting Fortra MFT | Computer Weekly

SolarWinds patches critical RCE - for the third time

SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw

#deserialization-rce
#deserialization-rce