- Mycomputerspot Security Newsletter
- Posts
- Fail-Safe Friday - Executive Action Brief
In partnership with
This week emphasizes overlapping stealth risks: CVE-2025-5086 in DELMIA Apriso has been added to the CISA KEV after active exploitation, WhatsApp zero-day spyware is being deployed via zero-click attacks on iOS, and Akira ransomware is leveraging old SonicWall firewall flaws.
In parallel, the UK’s ICO highlights a surge in student-driven insider threats across education. If mobile, ICS, and insider controls aren’t tightened, exposure will spread quickly.
Free email without sacrificing your privacy
Gmail is free, but you pay with your data. Proton Mail is different.
We don’t scan your messages. We don’t sell your behavior. We don’t follow you across the internet.
Proton Mail gives you full-featured, private email without surveillance or creepy profiling. It’s email that respects your time, your attention, and your boundaries.
Email doesn’t have to cost your privacy.
Top-level takeaways this week:
File Transfer & Remote Access ↑ — GoAnywhere MFT and Gladinet/TrioFox vulnerabilities under active attack.
Virtualization & Hypervisor Risk ↑ — VMware's zero-day patch underscores the importance of securing host and guest layers.
Zero-Day & Exploit Velocity ↑ — KEV catalog additions reflect exploiters racing into newly disclosed flaws.
1) Storm-1175 exploits GoAnywhere MFT – High
What changed: Microsoft confirmed that Storm-1175 is actively exploiting CVE-2025-10035 (a deserialization flaw in GoAnywhere’s License Servlet) to gain remote access and deploy Medusa ransomware.
Why this matters: File transfer platforms are high-value pivots. Compromise here gives attackers distribution and exfiltration infrastructure deep inside networks.
2) CVE-2025-11371 exploited in Gladinet / TrioFox – High
What changed: Huntress observed active exploitation of a local file inclusion + RCE path in Gladinet/TrioFox (CVE-2025-11371).
Why this matters: These platforms are used by MSPs and remote access users; bypassing them gives lateral reach into endpoints and data stores.
3) VMware zero-day (CVE-2025-41244) patched – Medium
What changed: Broadcom pushed updates to remediate local privilege escalation in VMware Aria / VMware Tools (CVE-2025-41244) following reports of in-the-wild exploitation tied to UNC5174.
Why this matters: Hypervisor-level vulnerabilities let attackers escalate between guest and host boundaries—compromising isolation integrity.
4) CISA adds multiple flaws to KEV – Medium
What changed: CISA appended seven new vulnerabilities to its Known Exploited Vulnerabilities catalog, reflecting proven exploitation evidence.
Why this matters: Inclusion in KEV marks a transitioning point: adversaries are actively using these flaws in the wild and defenders must prioritize patching.
Stage | Vector | What We’re Seeing |
|---|---|---|
Initial Access | Exploitable tools & transfer platforms | GoAnywhere MFT, Gladinet, VMware vulnerabilities leveraged for entry. |
Lateral / Persist | Toolchain abuse & guest hopping | Attackers move through virtualization stacks, misuse remote access platforms. |
Impact | Data theft, extortion & cross-tenant control | Medusa deployment, machine compromise, host-level control escalation. |
Seeking impartial news? Meet 1440.
Every day, 3.5 million readers turn to 1440 for their factual news. We sift through 100+ sources to bring you a complete summary of politics, global events, business, and culture, all in a brief 5-minute email. Enjoy an impartial news experience.
🔄 Patch & Hardening
Remediate GoAnywhere MFT (CVE-2025-10035) immediately per vendor guidance.
Disable or patch Gladinet/TrioFox Web.config/handler exposures until full fix is available.
Apply VMware host/guest patches for CVE-2025-41244 to prevent privilege escalation.
🧑💻 People & Monitoring
Alert on anomalous Rclone or exfil activity from MFT servers.
Monitor logs for hidden file inclusion or Web.config access in Gladinet systems.
Watch for guest-to-host escalation patterns or new root escalation on VMs.
📋 Process
Freeze new remote access tool changes and file transfer configurations over the weekend.
Run a tabletop: “MFT compromise → lateral spread → hypervisor exploit → data exfiltration / encryption.”
🤝 Partners
Require MSPs to attest patching state of all managed remote access platforms.
Maintain vendor escalation paths and public reporting transparency for MFT, virtualization, and remote tools.
File transfer tools are high-value attack surfaces - platforms like GoAnywhere and Gladinet are now under siege.
Hypervisor-level compromises magnify risk - VMware’s zero-day shows escalation paths are actively being weaponized.
KEV updates confirm exploit momentum - defenders must close the gap between disclosure and deployment.
🔄 Attest: MFT servers, remote access systems, and VMware hosts are patched or isolated.
📊 Validate: Remote access logs, file transfer patterns, and hypervisor audit logs for anomalies.
💼 Confirm: No unmanaged remote access tools exist outside standard procurement.
🔹 Double-check: Monday tabletop: “MFT breach → hypervisor escalation → mass exfiltration/extortion.”
Final Insight: This week’s attacks won’t show up solely in antivirus logs—they live in transfer engines, host tools, and virtualization borders. Defenders must elevate their focus to the plumbing, not just the payloads.
The Gold standard for AI news
AI will eliminate 300 million jobs in the next 5 years.
Yours doesn't have to be one of them.
Here's how to future-proof your career:
Join the Superhuman AI newsletter - read by 1M+ professionals
Learn AI skills in 3 mins a day
Become the AI expert on your team