Fortra recently disclosed its findings regarding CVE-2025-10035, a critical security vulnerability in GoAnywhere Managed File Transfer (MFT) that has been actively exploited since September 11, 2025.
The company initiated an investigation on September 11 after a customer reported a potential vulnerability, leading to the discovery of suspicious activities associated with the flaw.
On the same day, Fortra contacted customers with publicly accessible GoAnywhere admin consoles and informed law enforcement about the incident.
A hotfix for versions 7.6.x, 7.7.x, and 7.8.x of the software was released the following day, with full patches (versions 7.6.3 and 7.8.4) available on September 15. A CVE for the vulnerability was officially published three days later.
Fortra clarified that the risk of the vulnerability is limited to customers with exposed admin consoles, with other web components remaining unaffected. However, there have been reports of unauthorized activities related to CVE-2025-10035.
As a precaution, Fortra recommends restricting admin console access, enabling monitoring, and keeping software up to date.
CVE-2025-10035 involves a deserialization vulnerability in the License Servlet, potentially leading to command injection without authentication. Microsoft’s recent report revealed that threat actor Storm-1175 exploited this flaw to deploy Medusa ransomware.
The method used by threat actors to obtain the necessary private keys for exploiting this vulnerability remains unclear.
According to watchTowr CEO Benjamin Harris, Fortra’s acknowledgment of unauthorized activities related to CVE-2025-10035 confirms the practical exploitation of the vulnerability by threat actors.
