CVE-2025-10035, a perfect CVSS 10.0 vulnerability in the Fortra GoAnywhere managed file transfer solution, has apparently been exploited in zero-day attacks before the patch was released on September 15, 2025.
Evidence of in-the-wild exploitation revealed
On September 18, Fortra urged GoAnywhere users to upgrade to version 7.8.4 or v7.6.3 (Sustain Release) to fix a deserialization vulnerability in the solution’s License Servlet, which “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.”
Because they found it odd that Fortra shared a specific log string as proof that “an instance was likely affected by this vulnerability,” watchTowr researchers decided to investigate the flaw and the fix for it themselves.
After making their analysis public and sharing their belief that Fortra likely knew that the vulnerability was being actively exploited shortly after they published the fix, they were contacted by an individual who shared “credible evidence” of in-the-wild exploitation of CVE-2025-10035 dating back to September 10, 2025.
“That is eight days before Fortra’s public advisory, published September 18, 2025,” the watchTowr researchers noted. “This explains why Fortra later decided to publish limited IOCs, and we’re now urging defenders to immediately change how they think about timelines and risk.”
Around the same time, Rapid7 researchers also analyzed the flaw and the fix, and concluded that the issue is not just a single deserialization vulnerability, but a chain that includes:
- An access control bypass flaw that has been known since 2023
- The unsafe deserialization vulnerability (CVE-2025-10035), and
- A still unclear issue that allowed attackers to know (and use) a specific private key to forge a license response signature
Unanswered questions and advice for customers
Both Rapid7 and watchTowr researchers speculated on how the attackers got their hands on this private key, but for customers, the important thing now is to check their installations and underlying system for the indicators of compromise shared by watchTowr.
According to the researchers, after triggering the vulnerability and achieving remote code execution on vulnerable GoAnywhere MFT instances, the attackers created an admin account named admin-go that effectively serves as a backdoor.
With this account, they created a web user, and via that user they uploaded and executed an unknown second stage implant and a SimpleHelp (remote support software) binary.
Users who find evidence of compromise should to investigate further to discover the full scope of the breach. But whether they find evidence or not, they should still upgrade to a fixed version as soon as possible.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
