- Cybersecurity company Fortra disclosed a new critical vulnerability in GoAnywhere MFT
- It’s unclear whether the vulnerability has been exploited in the wild, but past GoAnywhere MFT vulnerabilities have been targeted by ransomware and other threat actors (note: we later discovered the vulnerability was exploited as a zero-day)
- Fixed versions are available and customers should restrict access to the admin console
Late on Thursday, September 18, cybersecurity firm Fortra published an advisory for CVE-2025-10035, a critical vulnerability in their GoAnywhere MFT solution. The vulnerability ultimately arises from a deserialization flaw in GoAnywhere MFT’s license servlet, allowing remote attackers with “a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.” The vulnerability carries a CVSSv3 score of 10.
Fortra’s advisory doesn’t specify whether the issue has been exploited in the wild.
GoAnywhere MFT is a managed file transfer product that stores a wealth of sensitive data and is a crown jewel-type target particularly for ransomware and extortion groups. The vendor advisory lists the discovery date for CVE-2025-10035 as September 13, meaning the turnaround time from discovery to patch release was nominally only five days — an appropriately urgent (but still impressive) fix timeline for a product that has previously been exploited by ransomware and other groups:
- CVE-2023-0669, another deserialization vulnerability that led to command injection, was disclosed as a zero-day in early 2023 after being exploited by the Cl0p ransomware and extortion group in a hack that affected 100+ organizations; to date, the flaw is known to have been leveraged by at least five different ransomware groups.
- CVE-2024-0204, a critical authentication bypass, was disclosed in early 2024 and allowed adversaries to access the admin panel and add unauthorized admin users. CVE-2024-0204 isn’t known to have been exploited en masse, but has had multiple weaponized public exploits available since January 2024; Shadowserver is still detecting ongoing exploitation attempts for this issue as of September 2025.
Notably, the vulnerability description and root cause of CVE-2025-10035 are virtually identical to the description of CVE-2023-0669.
Since VulnCheck originally published this blog post, multiple sources have reported that CVE-2025-10035 was exploited in the wild as a zero-day. On September 25, 2025 security firm watchTowr disclosed that evidence of exploitation had been reported to them privately and aligned directly with the stack traces laid out in Fortra’s advisory. On September 29, the vulnerability was also added to CISA KEV. A week later, on October 6, Microsoft published a blog detailing in-the-wild exploitation attributed to Storm-1175, which in at least one incident resulted in Medusa ransomware deployment; the activity Microsoft observed began on September 11, a week before Fortra’s public advisory on CVE-2025-10035.
VulnCheck and at least two other research firms (watchTowr and Rapid7) have analyzed CVE-2025-10035 and independently determined that exploitation requires a private key that is not generally known. Since CVE-2025-10035 has now been identified as a zero-day vulnerability, it’s clear, however, that one or more adversaries DOES have access to this private key — it’s not currently known how this came about. As of October 7, 2025, Fortra’s advisory for the issue still does not specify that it has been exploited in the wild.
Fortra’s advisory for CVE-2025-10035 doesn’t specify affected versions, but advises GoAnywhere MFT customers to update to a patched version, namely 7.8.4 (latest) or 7.6.3 (“Sustain Release”). The vendor also notes that “exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet.”
Given GoAnywhere MFT’s history of threat actor targeting, we’d advise making that update an immediate priority, along with ensuring the GoAnywhere MFT admin console isn’t exposed to the public internet. In general, it’s also advisable to implement egress filtering and alert on large file uploads, high-volume traffic to suspicious IPs or domains, and data transfer and archive utility usage.
As always, since we now know the vulnerability was exploited in the wild as a zero-day, patching alone will not eradicate adversaries from compromised systems.
PCAPs, Snort and Suricata rules, and a vulnerable Docker container for this vulnerability are available to VulnCheck Initial Access Intelligence customers. CVE-2025-10035 is also on VulnCheck KEV.
The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and abuse. For more research like this, see New Citrix NetScaler Zero-Day Vulnerability Exploited in the Wild, Command Injection in Jenkins via Git Parameter (CVE-2025-53652), and Still Up, Still Evil: A Look at Attacker Infrastructure Longevity.
Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.
