Critical Fortra GoAnywhere Flaw Exploited Before Disclosure

A critical security vulnerability in Fortra GoAnywhere Managed File Transfer software was actively exploited in the wild at least one week before its public disclosure, according to cybersecurity researchers at watchTowr Labs. The vulnerability, tracked as CVE-2025-10035, carries the maximum severity rating of CVSS 10.0 and poses significant risks to organizations using the popular file transfer solution.

Evidence of Active Exploitation Before Disclosure

Cybersecurity firm watchTowr Labs revealed credible evidence showing exploitation of the GoAnywhere vulnerability dating back to September 10, 2025, seven days before the security flaw was publicly announced. This timeline raises serious concerns about the window of vulnerability during which affected systems remained unprotected.

Benjamin Harris, CEO and Founder of watchTowr, emphasized the gravity of the situation, noting that this isn't merely a critical vulnerability in a widely-used enterprise solution, but one that has been actively weaponized by threat actors. The software has historically been a target for advanced persistent threat groups and ransomware operators, making this discovery particularly alarming for security teams.

The exploitation evidence includes stack traces showing the creation of backdoor accounts, demonstrating that attackers had developed sophisticated methods to compromise affected systems before patches became available.

Technical Details of CVE-2025-10035

The vulnerability stems from a deserialization flaw in the License Servlet component of Fortra GoAnywhere MFT. Attackers can exploit this weakness to achieve command injection without requiring any authentication, making it an extremely dangerous security gap.

According to watchTowr's technical analysis, the attack vector involves sending a specially crafted HTTP GET request to the "/goanywhere/license/Unlicensed.xhtml/" endpoint. This allows direct interaction with the License Servlet component, specifically targeting "com.linoma.ga.ui.admin.servlet.LicenseResponseServlet" that's exposed at "/goanywhere/lic/accept/<GUID>".

However, the complete exploitation chain is more complex than initially understood. Cybersecurity vendor Rapid7's analysis revealed that CVE-2025-10035 isn't a standalone vulnerability but rather part of a chain involving three separate security issues. These include an access control bypass known since 2023, the unsafe deserialization vulnerability itself, and an additional unknown issue related to how attackers obtain a specific private key.

Attack Chain and Threat Actor Activity

WatchTowr's subsequent investigation uncovered detailed information about how threat actors exploited the vulnerability in real-world attacks. The attack sequence follows a methodical pattern designed to establish persistent access to compromised systems.

First, attackers trigger the pre-authentication vulnerability to achieve remote code execution on the target system. They then leverage this initial access to create a GoAnywhere user account named "admin-go," establishing their foothold within the application. Using this newly created account, attackers proceed to create a web user, which provides them with additional capabilities to interact with the solution.

Finally, the threat actors use the web user account to upload and execute additional malicious payloads. Researchers identified several tools deployed during these attacks, including SimpleHelp and an unknown implant called "zato_be.exe." This multi-stage approach demonstrates the sophistication of the threat actors exploiting this vulnerability.

Interestingly, the attack activity originated from IP address 155.2.190.197, which has been previously flagged for conducting brute-force attacks against Fortinet FortiGate SSL VPN appliances in early August 2025, suggesting the involvement of organized threat actors with diverse targeting capabilities.

Mitigation and Recommended Actions

Fortra responded to the vulnerability disclosure by releasing patched versions of GoAnywhere MFT last week. Organizations running affected versions should immediately upgrade to version 7.8.4 or the Sustain Release 7.6.3 to remediate the security flaw.

Given the confirmed evidence of active exploitation in the wild, security teams should treat this update as an emergency priority. Organizations that cannot immediately apply patches should consider implementing temporary workarounds, such as restricting network access to the GoAnywhere MFT interface or placing the system behind additional security controls.

Security professionals should also conduct thorough forensic investigations of their GoAnywhere MFT systems to check for signs of compromise. Indicators to look for include unexpected user accounts, particularly those named "admin-go," unusual web user creation activity, and evidence of SimpleHelp or unknown executable deployments.

The vulnerability serves as a stark reminder of the importance of rapid patch deployment, especially for internet-facing file transfer solutions that are frequently targeted by advanced threat actors and ransomware groups. Organizations relying on GoAnywhere MFT for secure file transfers must prioritize the security update to protect sensitive data and prevent potential breaches.

SOURCE - https://thehackernews.com/2025/09/fortra-goanywhere-cvss-10-flaw.html