Cybersecurity firm watchTowr Labs has released crucial evidence indicating that the critical security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software was being actively exploited as early as September 10, 2025. This date is a full week before the vulnerability was publicly disclosed.
"This is not 'just' a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025," Benjamin Harris, CEO and Founder of watchTowr, told The Hacker News.
The Critical Vulnerability
The flaw in question is CVE-2025-10035, a deserialization vulnerability within the License Servlet that enables unauthenticated command injection. Fortra recently released versions 7.8.4 and Sustain Release 7.6.3 to remediate the issue.
watchTowr's analysis indicates that the vulnerability allows an attacker to send a crafted HTTP GET request to a specific license endpoint. This allows them to interact directly with the License Servlet, ultimately leading to an authentication bypass. With this bypass, the attacker can leverage inadequate deserialization protections to achieve command injection, although the exact technical steps remain unclear.
An Exploitation Chain
Cybersecurity vendor Rapid7 has provided additional insight, suggesting the vulnerability is not a single flaw but a chain of three separate issues:
- An access control bypass known since 2023.
- The unsafe deserialization vulnerability (CVE-2025-10035).
- A still-unknown issue related to how attackers obtain a specific private key.
Evidence of Active Attacks
watchTowr later confirmed it received evidence of successful exploitation, including a stack trace detailing the attack sequence used to create a backdoor account:
- Triggering the pre-authentication vulnerability to achieve Remote Code Execution (RCE).
- Using RCE to create a GoAnywhere user named "admin-go".
- Using the new account to create a web user.
- Leveraging the web user to upload and execute additional payloads, including SimpleHelp and an unknown implant (zato_be.exe).
watchTowr also noted that the threat activity originated from the IP address 155.2.190.197, an address previously flagged for conducting brute-force attacks against Fortinet FortiGate SSL VPN appliances.
Given the clear signs of in-the-wild exploitation, it is imperative that all users of Fortra GoAnywhere MFT immediately apply the latest fixes.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
