tag: Active-Exploitation · 1 items
- Engineer — Act: GoAnywhere MFT is a common enterprise managed-file-transfer appliance; CISA KEV listing plus EPSS 1.00 plus a public GitHub PoC means exploitation is active now. Patch to the vendor-fixed release immediately or take the instance offline until patching is complete.
- SOC/IR — Act: Prior GoAnywhere exploitation by Cl0p hit hundreds of organizations; treat any unpatched instance as potentially compromised. Hunt for anomalous outbound transfers, newly created admin accounts, and lateral movement originating from GoAnywhere servers since the PoC became public.
- Leader — Act: The 2023 Cl0p GoAnywhere campaign was a marquee supply-chain breach; this CVE matches or exceeds that severity signal (EPSS 1.00, KEV-listed). Confirm this week whether your org or critical MFT vendors run GoAnywhere and obtain patch attestations before history repeats.
- Signals: CVE-2025-10035 — CISA KEV: listed, EPSS 1.00, public PoC on GitHub