A critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution, identified as CVE-2025-10035, has been actively exploited as a zero-day at least a week before the company released a patch. This flaw, carrying a perfect CVSS score of 10.0, is a command injection vulnerability that allows unauthenticated remote code execution.
Discovery and Initial Disclosure
Security firm watchTowr reported credible evidence of in-the-wild exploitation dating back to September 10, 2025, eight days prior to Fortra’s public advisory on September 18. Fortra initially described the vulnerability as a deserialization issue within the GoAnywhere MFT License Servlet. According to the vendor’s advisory, an attacker with a validly forged license response signature could deserialize a crafted object, leading to command injection.
However, Fortra’s initial announcement did not mention active exploitation, despite including Indicators of Compromise (IoCs), a move that researchers found unusual. The company stated the issue was found during an internal security check on September 11.
Detailed Analysis of the Vulnerability
Further research from Rapid7 indicates that CVE-2025-10035 is not a single flaw but a chain of three separate issues:
1. Access Control Bypass: A vulnerability known since 2023 that allows unauthorized access to certain components of the system.
2. Unsafe Deserialization Flaw: The newly discovered issue where the system deserializes untrusted data without proper validation, leading to potential code execution.
3. Private Key Exposure: An unknown issue that allows attackers to obtain a specific private key necessary for the exploit.
Threat actors exploited the pre-authentication deserialization vulnerability to achieve Remote Code Execution (RCE). With this access, they created a backdoor administrator account named `admin-go` and then used it to create a legitimate web user account to access the MFT service. Through this web user, the attackers uploaded and executed multiple secondary payloads.
Timeline of Exploitation
– September 10, 2025: watchTowr Labs observed the beginning of exploitation, predating the patch release on September 15 and the public advisory on September 18, confirming its status as a zero-day vulnerability.
– September 11, 2025: Fortra discovered the issue during an internal security check.
– September 15, 2025: Fortra released a patch to address the vulnerability.
– September 18, 2025: Fortra issued a public advisory regarding the vulnerability.
The disclosure has drawn criticism, as Fortra is a signatory of the Secure By Design pledge, which commits to transparency about in-the-wild exploitation. By not initially disclosing the active attacks, security teams were left to assess risk without a full understanding of the threat timeline.
Indicators of Compromise (IoCs)
Evidence of the in-the-wild attacks includes several key indicators:
– Backdoor Account: A local account named `admin-go` was created on compromised systems.
– Malicious Files: Payloads such as `C:\Windows\zato_be.exe` and `C:\Windows\jwunst.exe` (a SimpleHelp binary) were observed.
– Attacker IP: The IP address `155.2.190.197` was linked to the threat actor.
– Commands Executed: The command `whoami /groups` was run, with its output saved to `C:\Windows\test.txt`.
Mitigation and Recommendations
Fortra has released GoAnywhere MFT version 7.8.4 and Sustain version 7.6.3 to address the vulnerability. Given the history of GoAnywhere MFT being targeted by ransomware groups, organizations are urged to patch immediately and ensure their admin consoles are not exposed to the public internet.
In addition to applying the patch, organizations should:
– Restrict Admin Console Access: Implement firewall rules or network ACLs to ensure the admin console is not publicly reachable.
– Monitor for IoCs: Regularly check for the indicators of compromise listed above to detect any signs of exploitation.
– Review Security Policies: Assess and update security policies to address potential vulnerabilities and ensure robust defense mechanisms are in place.
By taking these steps, organizations can mitigate the risk associated with this critical vulnerability and enhance their overall security posture.
