Exploitation of a recently disclosed Fortra GoAnywhere MFT vulnerability started at least one week before patches were released, cybersecurity firm watchTowr reports.
Fortra fixed the security defect, tracked as CVE-2025-10035 (CVSS score of 10/10), on September 18, making no mention of its in-the-wild exploitation, but sharing indicators-of-compromise (IoCs) to help organizations hunt for potential attacks.
The flaw is described as a deserialization vulnerability in the secure file transfer application’s license servlet, which could allow an attacker with a forged license response signature to deserialize a crafted object and achieve command injection.
“Immediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet,” Fortra warned.
According to watchTowr, Fortra was eight days late with its patches for CVE-2025-10035, as the issue had been exploited as a zero-day when discovered on September 11.
“We have been given credible evidence of in-the-wild exploitation of Fortra GoAnywhere CVE-2025-10035 dating back to September 10, 2025. That is eight days before Fortra’s public advisory,” watchTowr notes.
As part of the observed attacks, hackers triggered the vulnerability for remote code execution (RCE), without authentication, to create a backdoor admin account on vulnerable instances.
Then, they leveraged the account to create a web user that provided them with access to the MFT service, and used it to upload and execute various additional payloads.
In a technical analysis of the CVE, watchTowr pointed out that there are over 20,000 GoAnywhere MFT instances accessible from the internet, including deployments pertaining to Fortune 500 companies.
Cybersecurity outfit Rapid7, which performed its own in-depth analysis of the security defect, explains that it is not a simple deserialization issue, but a chain of three separate bugs.
“This includes an access control bypass that has been known since 2023, the unsafe deserialization vulnerability CVE-2025-10035, and an as-yet unknown issue pertaining to how the attackers can know a specific private key,” Rapid7 explains.
The company flagged the access control bypass in February 2023, when Fortra patched a pre-authentication remote code execution bug in GoAnywhere MFT that had been exploited as a zero-day.
Both watchTowr and Rapid7 underline that they could not find the private key ‘serverkey1’ required to forge the license response signature, which is required for the successful exploitation of CVE-2025-10035.
The two companies note that the security defect’s exploitation is possible if the private key was leaked and attackers got hold of it, if the attackers trick a license server into signing the malicious signature, or the attackers have access to serverkey1 by unknown means.
Related: Cisco Firewall Zero-Days Exploited in China-Linked ArcaneDoor Attacks
Related: Chinese Cyberspies Hacked US Defense Contractors
Related: GeoServer Flaw Exploited in US Federal Agency Hack
Related: ChamelGang Hackers Target Energy, Aviation, and Government Sectors
