A critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) software, tracked as CVE-2025-10035, was actively exploited in the wild for over a week before the vendor released a patch. The flaw, which carries a maximum severity CVSS score of 10.0, allows unauthenticated attackers to execute arbitrary commands on affected systems. According to analysis from watchTowr Labs, evidence of exploitation dates back to September 10, 2025, making this a zero-day attack that predates Fortra’s public disclosure on September 181, 4.
The vulnerability resides in the License Servlet component of GoAnywhere MFT. It is an unsafe deserialization flaw that enables a remote attacker with a forged license response signature to deserialize a malicious Java object. This leads directly to remote code execution (RCE) without requiring any authentication2, 9. The attack vector is network-based, has low complexity, and requires no user interaction, which contributes to its critical severity rating8, 9. Patches are available in GoAnywhere MFT versions 7.8.4 and Sustain Release 7.6.3.
Technical Breakdown of the Vulnerability Chain
Security researchers from Rapid7 and watchTowr have clarified that CVE-2025-10035 is not a single isolated bug but rather part of an exploitation chain4, 9. The chain begins with a known access control bypass vulnerability that was previously identified in 2023. This initial bypass allows an attacker to reach the vulnerable License Servlet. The core of CVE-2025-10035 is the unsafe deserialization of an attacker-controlled object. However, successful exploitation requires a third element: the ability for the attacker to obtain or forge the private key (`serverkey1`) needed to create a valid signature for the malicious license response. This multi-stage nature explains why exploitation, while severe, may have specific prerequisites.
Analysis of an attack observed by watchTowr provides a clear picture of the post-exploitation activity. The attack, originating from IP address `155.2.190[.]197`, followed a methodical sequence4. After achieving pre-authentication RCE, the threat actor created a new backdoor administrator account named “admin-go” within the GoAnywhere MFT application. Using this administrative access, they then created a standard web user account to maintain persistent access to the system. Finally, the attacker uploaded and executed additional payloads, including the remote access tool SimpleHelp and a custom implant, to solidify their control over the compromised server.
Historical Context and High-Risk Target Profile
This incident is not an isolated event for Fortra’s file transfer software. Researchers have noted that the new flaw is “virtually identical” to CVE-2023-0669, a GoAnywhere MFT vulnerability that was massively exploited by the Clop ransomware gang in 2023, impacting over 100 organizations1, 7. The repeated occurrence of severe vulnerabilities in the same product highlights a persistent security challenge. Furthermore, the US Cybersecurity and Infrastructure Security Agency (CISA) catalog lists three previous GoAnywhere flaws from 2023, and a critical authentication bypass (CVE-2024-0204) was patched in January 20241, 3.
Managed File Transfer solutions like GoAnywhere are high-value targets for ransomware groups and advanced persistent threats (APTs). These systems act as central repositories for sensitive data moving between numerous organizations, making them ideal for large-scale data theft and extortion campaigns1. The potential impact is significant, as evidenced by data from Shadowserver, which identified over 450 GoAnywhere MFT instances exposed to the public internet as of late September 20258. This large attack surface increases the likelihood of widespread exploitation.
Diverging Assessments and Urgent Mitigation Steps
A notable point of contention emerged between the vendor and security researchers regarding the timeline of active exploitation. Fortra’s initial advisory on September 18 stated that there was “no evidence of active exploitation” at the time of disclosure and emphasized that the primary risk was to systems with internet-exposed Admin Consoles1, 6, 9. In contrast, researchers from watchTowr and VulnCheck stated they had “credible evidence” of exploitation dating back to September 10 and warned that widespread abuse was “just a matter of time”1, 4, 5.
The most critical immediate mitigation step is to ensure that the GoAnywhere MFT Admin Console is not accessible from the public internet. Fortra and multiple security firms have stressed that exploitation is highly dependent on this external exposure1, 2, 8. For detection, administrators should meticulously review Admin Audit logs and error files for entries containing the string `SignedObject.getObject`, as this may indicate an attempt to process a malicious license response8. Applying the available patches to versions 7.8.4 or 7.6.3 is, of course, the definitive remediation action.
The exploitation of CVE-2025-10035 as a zero-day underscores the persistent threat to enterprise file transfer systems. While patches are now available, the week-long gap between in-the-wild exploitation and public disclosure provided a window for attackers to compromise targets. The similarity to past critically exploited vulnerabilities in the same product suggests that organizations running GoAnywhere MFT should treat its security with heightened priority. Continuous monitoring for IOCs and strict network access controls remain essential defensive measures for this high-risk software.
