Fortra GoAnywhere Zero-Day Exploited: Critical Flaw CVE-2025-10035
▼ Summary
– CVE-2025-10035 is a critical vulnerability in Fortra’s GoAnywhere MFT that was exploited in zero-day attacks before a patch was released on September 15, 2025.
– Evidence shows the vulnerability was actively exploited as early as September 10, 2025, which was eight days before Fortra’s public advisory on September 18.
– Researchers determined the issue is not a single flaw but an attack chain involving an access control bypass, the deserialization vulnerability, and the use of a specific private key.
– Attackers exploited the flaw to achieve remote code execution, create a backdoor admin account named ‘admin-go’, and deploy secondary implants.
– GoAnywhere users are urged to immediately upgrade to a patched version and check their systems for the provided indicators of compromise.
A critical security flaw in Fortra’s GoAnywhere managed file transfer platform, identified as CVE-2025-10035, has been actively exploited by attackers in zero-day attacks. This vulnerability, which received a maximum severity score of 10.0 on the CVSS scale, involves a deserialization issue within the software’s License Servlet. Fortra released patches for the flaw on September 15, 2025, but evidence now confirms malicious exploitation began days before the fix was available.
Security researchers from watchTowr became suspicious when Fortra’s advisory included a specific log string as an indicator of compromise. Their subsequent investigation led to a startling discovery. Shortly after publishing their analysis, a source provided them with credible evidence showing that in-the-wild exploitation of CVE-2025-10035 was occurring as early as September 10, 2025. This timeline indicates attackers had at least an eight-day head start before Fortra’s public warning on September 18. This revelation explains why the vendor later decided to publish limited Indicators of Compromise (IOCs) and underscores the urgent need for organizations to reassess their threat timelines.
Further analysis by Rapid7 revealed that the problem is more complex than a single vulnerability. They identified an attack chain that combines three elements: a known access control bypass flaw from 2023, the new deserialization vulnerability (CVE-2025-10035), and a yet-unexplained issue that allowed attackers to obtain and use a specific private key to forge license response signatures. The method by which attackers acquired this private key remains a central unanswered question.
For organizations using GoAnywhere MFT, the immediate priority is action. Researchers confirmed that after exploiting the vulnerability to achieve remote code execution, attackers consistently created an administrative user account named `admin-go`. This account acts as a persistent backdoor, which was then used to create a web user, upload a second-stage implant, and deploy a SimpleHelp remote support binary. Administrators must urgently scan their systems for these IOCs and any suspicious activity.
Whether evidence of compromise is found or not, the most critical step is to immediately upgrade to a patched version, specifically GoAnywhere version 7.8.4 or the sustain release 7.6.3. Any instance found to be compromised requires a comprehensive investigation to determine the full extent of the breach, as the attacker’s activities may extend far beyond the initial entry point.
(Source: HelpNet Security)
