Experts warn a maximum severity GoAnywhere MFT flaw is now being exploited as a zero day

News
By published

A patch is already released, so hurry up

Representational image of a cybercriminal
Image Credit: Pixabay (Image credit: Pixabay)
  • CVE-2025-10035 in GoAnywhere MFT allows critical command injection via license servlet
  • Exploitation began before public disclosure; WatchTowr found credible in-the-wild evidence
  • Users urged to patch or isolate systems; past flaws led to major Cl0p ransomware breaches

GoAnywhere MFT, a popular managed file transfer solution, is carrying a maximum-severity vulnerability currently being exploited in the wild after security researchers WatchTowr Labs claim to have found “credible evidence”.

Fortra (the company behind GoAnywhere) recently published a new security advisory, urging customers to patch CVE-2025-10035.

This is a deserialization vulnerability in the License Servlet that allows threat actors to run command injection attacks. In other words, it’s a hole in the license-checking system that could let attackers trick GoAnywhere into running their code.

Credible evidence

The vulnerability was given a maximum severity rating - 10/10, meaning it’s absolutely critical that users patch it. Other than that, the advisory did not say much about potential attackers, or current targets.

WatchTowr’s researchers did, though: "We have been given credible evidence of in-the-wild exploitation of Fortra GoAnywhere CVE-2025-10035 dating back to September 10, 2025," the researchers said in their writeup.

"That is eight days before Fortra's public advisory, published September 18, 2025. This explains why Fortra later decided to publish limited IOCs, and we're now urging defenders to immediately change how they think about timelines and risk."

The best way to protect against the attacks is to upgrade to a patched version, either the latest release (7.8.4), or the Sustain Release 7.6.3.

Those who cannot patch at this time can remove GoAnywhere from the public internet through the Admin Console, and those who suspect they may have been targeted should inspect log files for errors containing the string 'SignedObject.getObject,'.

In early 2023, threat actors exploited a flaw in GoAnywhere MFT to steal data from dozens of organizations worldwide. The ransomware group Cl0p claimed responsibility, leaking sensitive files and demanding payment, turning it into one of the year’s most damaging supply-chain style breaches.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.