Fortra GoAnywhere MFT Zero-Day Actively Exploited
▼ Summary
– Exploitation of Fortra GoAnywhere MFT vulnerability CVE-2025-10035 began at least one week before a patch was released on September 18, 2025.
– The flaw is a critical deserialization issue allowing unauthenticated attackers to achieve remote code execution by forging a license response signature.
– Attackers used the vulnerability to create backdoor admin accounts, establish web user access, and upload additional malicious payloads.
– Over 20,000 internet-exposed GoAnywhere MFT instances exist, including systems belonging to Fortune 500 companies, increasing the attack surface.
– The exploitation chain involves multiple vulnerabilities, and the exact method attackers used to obtain the required private key remains unknown.
A critical vulnerability in Fortra’s GoAnywhere MFT secure file transfer solution was actively exploited for over a week before a patch became available. Cybersecurity researchers at watchTowr confirmed that attacks leveraging this flaw, identified as CVE-2025-10035, commenced around September 10, 2025. Fortra released the official fix on September 18, but their initial advisory did not mention the active exploitation, instead providing indicators of compromise to assist organizations in detecting potential breaches.
The security flaw carries a maximum severity rating of 10.0 on the CVSS scale. It exists as a deserialization vulnerability within the application’s license servlet. This weakness could allow an attacker who forges a license response signature to inject malicious objects, ultimately leading to remote code execution. Fortra strongly advised administrators to immediately ensure that access to the GoAnywhere Admin Console is not publicly accessible to the internet, as exploitation heavily relies on systems being externally exposed.
According to the investigation, threat actors weaponized this vulnerability to achieve unauthenticated remote code execution. Their first step was to create a hidden administrator backdoor account on vulnerable systems. With this elevated access, they then established a web user account to gain entry into the MFT service itself. This foothold allowed them to upload and run additional malicious payloads. The scale of potential exposure is significant, with watchTowr noting that over 20,000 GoAnywhere MFT instances are internet-facing, including systems belonging to Fortune 500 corporations.
A deeper technical analysis from Rapid7 revealed that the exploit is not based on a single bug but rather a chain of three distinct issues. This chain includes an access control bypass vulnerability known since 2023, the new deserialization flaw (CVE-2025-10035), and a third, unresolved problem concerning how the attackers obtained a specific private key. Rapid7 had previously reported a related pre-authentication RCE flaw in the same product back in February 2023, which was also exploited as a zero-day.
A critical mystery remains for security researchers. Both watchTowr and Rapid7 emphasize that successful exploitation requires the private key, dubbed ‘serverkey1’, to forge the necessary license signature. Neither firm could determine how the attackers acquired this key. The possibilities include a prior leak of the key, a scenario where attackers manipulated a license server into signing their malicious signature, or that the attackers gained access to `serverkey1` through currently unknown methods. This gap in understanding highlights the sophisticated nature of the attack.
(Source: Security Week)
