Table of Contents
In this week’s Security Advisory
- Fortra Patches Maximum Severity Vulnerability in GoAnywhere MFT’s License Servlet
- Redis Patches Critical Vulnerability Exposing 60,000 servers to Exploitation
- Critical macOS Privilege Escalation Found in AWS Client VPN
- DrayTek Patches High-Risk Remote Code Execution Issue
Fortra Patches Maximum Severity Vulnerability in GoAnywhere MFT’s License Servlet
There are credible reports that this vulnerability has been exploited in the wild since early September. If you have not applied patches yet, it is critical that you do so as soon as possible.
More Reading / Information
- https://thehackernews.com/2025/10/microsoft-links-storm-1175-to.html
- https://www.securityweek.com/fortra-goanywhere-mft-zero-day-exploited-in-ransomware-attacks/
Original Advisory:
Software vendor Fortra has patched a maximum level security vulnerability, tracked as CVE-2025-10035 (CVSS 10/10), in its GoAnywhere Managed File Transfer (MFT) software. The largest risk is present in instances where the GoAnywhere MFT Admin Console is accessible on the public internet.
The vulnerability is an object deserialization available in the License Servlet of the software. If exploited, an attacker may remotely execute code on the system. Barrier to exploitation is trivial.
CyberMaxx urges clients to upgrade to the latest software or verify that the Administrative Console is not accessible via the internet as soon as possible.
Recommendations
- Mitigation: Verify that the admin console is not accessible over the internet.
- Upgrade to GoAnywhere MFT 7.8.4 / Sustain Release 7.6.3, which includes the patch.
More Reading / Information
- https://www.fortra.com/security/advisories/product-security/fi-2025-012
- https://www.bleepingcomputer.com/news/security/fortra-warns-of-max-severity-flaw-in-goanywhere-mfts-license-servlet/
Redis Patches Critical Vulnerability Exposing 60,000 servers to Exploitation
Redis is an open-source platform that stores data in memory, mainly used as an application cache or quick-response database. Currently, this vulnerability requires authentication; however, there are 60,000 exposed to the internet with no authentication required. This exposes the container to CVE-2025-49844 (CVSS 10/10), a.k.a. RediShell, a use-after-free vulnerability that allows an authenticated attacker to execute code remotely. An attacker could fully compromise a system by sending a malicious Lua script, which would allow them to deploy a reverse shell to establish persistent access. If you use the Redis Cloud service, fixes have already been applied.
Affected Versions
All Redis Software releases.
All Redis OSS/CE/Stack releases with Lua scripting.
Recommendations
- Restrict Network access to only authorized users.
- Enforce strong authentication for all Redis instances.
- Limit permissions to adhere to the principle of least privilege.
- Upgrade to the latest versions here.
More Reading / Information
- https://www.bleepingcomputer.com/news/security/redis-warns-of-max-severity-flaw-impacting-thousands-of-instances/
- https://redis.io/blog/security-advisory-cve-2025-49844/
Critical macOS Privilege Escalation Found in AWS Client VP
A critical local privilege escalation vulnerability has been identified in the AWS Client VPN application for macOS, which could enable non-administrative users to obtain root access on affected machines. Known as CVE-2025-11462 (CVSS 9.3/10) and disclosed by AWS on October 7, 2025, the issue arises from insufficient validation during log rotation. It affects AWS Client VPN versions ranging from 1.3.2 to 5.2.0. Windows and Linux editions remain unaffected.
Affected Versions
- AWS Client VPN Client for macOS versions 1.3.2–5.2.0.
Recommendations
- Upgrade to VPN Client Version 5.2.1.
More Reading / Information
- https://cyberpress.org/macos-privilege-escalation/
- https://gbhackers.com/aws-client-vpn-for-macos-privilege-escalation-vulnerability/
DrayTek Patches High-Risk Remote Code Execution Issue
A critical vulnerability, CVE-2025-10547 (CVSS 8.8/10) affecting DrayTek Vigor routers has been patched after researchers discovered it allowed unauthenticated remote attackers to execute arbitrary code and gain full control of the device. The flaw stems from an uninitialized variable in the LAN web interface that can be exploited via specially crafted HTTP requests, leading to memory corruption and system hijacking. If features like EasyVPN or remote admin access are enabled, attackers can exploit the flaw over the internet without needing login credentials. Once compromised, the attacker can install backdoors, alter network settings, or launch further attacks.
Affected Versions
- The full list can be found here.
Recommendations
- Update firmware immediately.
More Reading / Information
- https://www.securityweek.com/unauthenticated-rce-flaw-patched-in-draytek-routers/
- https://www.techradar.com/pro/security/draytek-warns-vigor-routers-may-have-serious-security-flaws-heres-what-we-know
- https://www.bleepingcomputer.com/news/security/draytek-warns-of-remote-code-execution-bug-in-vigor-routers/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
