Critical Command Injection Flaw in Fortra’s BoKS Exposes Privileged Access Systems Fortra has disclosed a critical security vulnerability (CVE-2026-9862) in its Core Privileged Access Manager (BoKS), allowing unauthenticated remote attackers to execute arbitrary commands on affected systems. The flaw, rated CVSS 9.8, stems from an OS command injection (CWE-78) weakness in the boks_autoregisterd service, which handles host autoregistration in the privileged access management environment. The vulnerability arises from improper input neutralization during the autoregistration process, enabling attackers to craft malicious requests that inject commands. The service listens on TCP port 6507 by default, making it accessible over the network in many deployments. Exploitation requires no user interaction or prior privileges, granting attackers the ability to execute commands with the service’s permissions potentially leading to full system compromise, data manipulation, or lateral movement across networks. Fortra identified the issue on May 27, 2026, and publicly disclosed it on June 15, 2026, via advisory FI-2026-007. While patches are pending, the company recommends temporary mitigations, including: - Restricting network access to boks_autoregisterd via firewall rules or segmentation. - Disabling the service entirely by modifying the boksinit configuration file on the BoKS Master system and restarting the service. Security teams are advised to monitor for suspicious activity on port 6507, such as unexpected command execution or anomalous traffic. The flaw highlights risks posed by exposed management services and underscores the need for robust input validation in secure coding practices.

Critical SmarterMail RCE Vulnerability Under Active Exploitation A severe remote code execution (RCE) vulnerability in SmarterTools’ SmarterMail software is being actively exploited, exposing thousands of servers worldwide. Tracked as CVE-2026-23760, the flaw allows unauthenticated attackers to execute arbitrary commands on vulnerable systems, granting full control over affected servers. Security researchers identified approximately 6,000 internet-accessible SmarterMail instances running unpatched versions, with exploitation attempts already confirmed in the wild. The Shadowserver Foundation detected the threat through version-based scans, revealing a broad attack surface across enterprises, educational institutions, and service providers. The vulnerability poses significant risks, including email interception, malware deployment, and persistent backdoor access. Organizations in healthcare, finance, government, and technology sectors are among those likely affected, given SmarterMail’s widespread adoption. Successful exploitation could lead to data exfiltration, business email compromise (BEC), and supply chain attacks. SmarterTools has released patches to address CVE-2026-23760, classified as critical due to its severity and active exploitation. The flaw’s global distribution underscores the urgency for organizations to assess, patch, and monitor their deployments to mitigate potential breaches.

A critical CVE-2025-10035 (CVSS 10.0) vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) tool was actively exploited as a zero-day by threat group Storm-1175 before its patch on September 18, 2025. The flaw, a deserialization vulnerability in the License Servlet Admin Console, allowed attackers to bypass signature verification, execute arbitrary commands, and achieve remote code execution (RCE) without authentication. Post-exploitation, attackers conducted system discovery, lateral movement via RMM tools (SimpleHelp, MeshAgent), and deployed Medusa ransomware in at least one victim environment. Data exfiltration was facilitated using Rclone, while Cloudflare tunnels secured C2 communications. With 513 exposed GoAnywhere instances globally (majority in North America), the attack posed severe risks, including long-term system compromise, ransomware deployment, and potential data theft. Medusa, linked to over 300 global victims (including a US healthcare organization in 2025), leverages phishing and unpatched vulnerabilities for initial access, escalating threats to critical infrastructure.

Fortra’s GoAnywhere Managed File Transfer (MFT) was exploited via CVE-2025-10035, a critical zero-day deserialization vulnerability (CVSS 10.0) in its License Servlet Admin Console (versions ≤ 7.8.3). The Storm-1175 threat group weaponized the flaw to achieve unauthenticated remote code execution (RCE), leading to widespread network compromise. Attackers deployed web shells (.jsp), remote monitoring tools (SimpleHelp, MeshAgent), and conducted lateral movement via RDP (mstsc.exe) while exfiltrating data using Rclone. The final payload was Medusa ransomware, encrypting systems and demanding ransom for decryption keys. The attack disrupted operations, risked sensitive data exposure, and threatened business continuity. Mitigation required emergency patching, EDR/XDR deployment, and network isolation to prevent further damage. The incident highlights severe risks from unpatched critical vulnerabilities in enterprise file-transfer systems, exposing organizations to financial loss, reputational harm, and operational shutdowns if exploited.

The CVE-2025-10035 vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT)—a critical deserialization flaw in the License Servlet—was exploited as a zero-day by the Storm-1175 ransomware group (linked to Medusa ransomware). The flaw, rated 10/10 (Critical), allows unauthenticated remote code execution (RCE) via forged license signatures, enabling attackers to inject arbitrary commands. Microsoft confirmed exploitation across multiple organizations, with at least one confirmed Medusa ransomware deployment post-compromise.Over 500 unpatched GoAnywhere MFT instances remain exposed online, risking further attacks. While Fortra released patches (7.8.4 or Sustain Release 7.6.3) on September 18, 2025, delayed updates leave systems vulnerable. The attack chain involves initial access via CVE-2025-10035, followed by ransomware deployment, potentially leading to full data encryption, operational disruption, and financial extortion demands. Organizations failing to patch or mitigate (e.g., removing public internet exposure) face severe data breaches, reputational damage, and regulatory penalties. Logs showing ‘SignedObject.getObject’ errors may indicate compromise.

The CVE-2025-10035 vulnerability in Fortra’s GoAnywhere MFT—a critical file transfer tool—was added to CISA’s Known Exploited Vulnerabilities (KEV) list with a CVSS score of 10/10. Evidence suggests active exploitation since at least September 10, 2025, though Fortra has not confirmed this publicly. The flaw allows unauthorized third-party access to systems with an internet-exposed Admin Console, risking data breaches, ransomware deployment, or APT (Advanced Persistent Threat) intrusions. Historical context links this to CVE-2023-0669, a prior GoAnywhere vulnerability exploited by the Clop ransomware gang, which breached 130+ organizations (including Hitachi, Rubrik, Rio Tinto, and government entities like Toronto and Tasmania). If exploited similarly, CVE-2025-10035 could enable mass data theft, financial fraud, or operational disruptions across thousands of vulnerable systems. While Fortra released a patch, delayed action by organizations (e.g., failing to remove public Admin Console access) increases the risk of large-scale attacks, potentially leading to regulatory penalties, reputational damage, and financial losses if customer or employee data is compromised.

In January 2023, Fortra’s GoAnywhere MFT file transfer software—a tool widely used by healthcare and financial institutions—was exploited by the Clop ransomware group, a Russian-based cybercriminal operation. The attack leveraged a zero-day vulnerability, enabling hackers to infiltrate systems and exfiltrate personal health information (PHI) of at least 5 million individuals. The breach also impacted 130 organizations, including major entities like Aetna, Community Health Systems, and NationsBenefits, exposing them to litigation. The incident led to a $20 million class-action settlement (alongside a prior $7 million subclass settlement), covering monetary compensation (up to $5,000 per victim or a flat $85), dark web monitoring, and mandated cybersecurity enhancements by defendants. The breach underscored critical failures in vulnerability management, with plaintiffs alleging negligence in safeguarding sensitive health data from unauthorized access.

Cybercriminal group Storm-1175 exploited CVE-2025-10035, a critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution, to deploy Medusa ransomware. The attack began as early as September 11, with threat actors leveraging the flaw for initial access, followed by lateral movement using tools like SimpleHelp and MeshAgent. Microsoft confirmed successful ransomware deployment in at least one victim environment.The vulnerability allowed attackers to maintain long-term access, perform system/user discovery, and deploy additional malware. Despite Fortra’s awareness of the bug since September 18, the company failed to disclose active exploitation, leaving organizations vulnerable for weeks. CISA later mandated federal agencies to patch by October 20, while security firm watchTowr warned of ongoing 'silent assaults' targeting GoAnywhere users.Medusa ransomware, linked to over 300 attacks on critical infrastructure since 2021, has previously breached Minneapolis Public Schools (exposing 100,000+ records), government agencies in the Philippines/France, and NASCAR. The attack’s scale suggests widespread data compromise, though Fortra has not clarified how threat actors obtained private keys for exploitation or the full extent of the damage.