A critical, perfect 10.0 CVSS score vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution was actively exploited as a zero-day at least a week before the company released a patch.
The vulnerability, tracked as CVE-2025-10035, is a command injection flaw that allows for unauthenticated remote code execution. Security firm watchTowr reported credible evidence of in-the-wild exploitation dating back to September 10, 2025, eight days before Fortra’s public advisory on September 18.
Fortra initially described the vulnerability as a deserialization issue in the GoAnywhere MFT License Servlet. According to the vendor’s advisory, an attacker with a “validly forged license response signature” could deserialize a crafted object, leading to command injection.
However, Fortra’s initial announcement on September 18 made no mention of active exploitation, despite including Indicators of Compromise (IoCs), a move that researchers found unusual. The company stated the issue was found during an internal security check on September 11.
Vulnerability Exploited as 0-Day
Security researchers have provided a more detailed picture of the flaw and its exploitation timeline.
Research from Rapid7 indicates that CVE-2025-10035 is not a single bug but a chain of three separate issues: an access control bypass known since 2023, the new unsafe deserialization flaw, and an unknown issue that allows attackers to know a specific private key needed for the exploit.
Threat actors exploited the pre-authentication deserialization vulnerability to achieve Remote Code Execution (RCE).
With this access, they created a backdoor administrator account named admin-go and then used it to create a “legitimate” web user account to access the MFT service. Through this web user, the attackers uploaded and executed multiple secondary payloads.
According to watchTowr Labs, the exploitation started on September 10, predating the patch release on September 15 and the public advisory on September 18, confirming its status as a zero-day vulnerability.
The disclosure has drawn criticism, as Fortra is a signatory of the Secure By Design pledge, which commits to transparency about in-the-wild exploitation. By not initially disclosing the active attacks, security teams were left to assess risk without a full understanding of the threat timeline.
Indicators of Compromise (IoCs)
Evidence of the in-the-wild attacks includes several key indicators:
- Backdoor Account: A local account named
admin-gowas created on compromised systems. - Malicious Files: Payloads such as
C:Windowszato_be.exeandC:Windowsjwunst.exe(a SimpleHelp binary) were observed. - Attacker IP: The IP address
155.2.190.197was linked to the threat actor. - Commands Executed: The command
whoami /groupswas run, with its output saved toC:Windowstest.txt.
Fortra has released GoAnywhere MFT version 7.8.4 and Sustain version 7.6.3 to address the vulnerability.
Given the history of GoAnywhere MFT being targeted by ransomware groups, organizations are urged to patch immediately and ensure their admin consoles are not exposed to the public internet.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source link
