Cybersecurity company watchTowr Labs has disclosed that it has "credible evidence" of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed.

"This is not 'just' a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators – it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025," Benjamin Harris, CEO and Founder of watchTowr, told The Hacker News.

The vulnerability in question is CVE-2025-10035, which has been described as a deserialization vulnerability in the License Servlet that could result in command injection without authentication. Fortra GoAnywhere version 7.8.4, or the Sustain Release 7.6.3, was released by Fortra last week to remediate the problem.

DFIR Retainer Services

According to an analysis released by watchTowr earlier this week, the vulnerability has to do with the fact that it's possible to send a crafted HTTP GET request to the "/goanywhere/license/Unlicensed.xhtml/" endpoint to directly interact with the License Servlet ("com.linoma.ga.ui.admin.servlet.LicenseResponseServlet") that's exposed at "/goanywhere/lic/accept/<GUID>" using the GUID embedded in the response to the earlier sent request.

Armed with this authentication bypass, an attacker can take advantage of inadequate deserialization protections in the License Servlet to result in command injection. That said, exactly how this occurs is something of a mystery, researchers Sonny Macdonald and Piotr Bazydlo noted.

Cybersecurity vendor Rapid7, which also released its findings into CVE-2025-10035, said it's not a single deserialization vulnerability, but rather a chain of three separate issues -

  • An access control bypass that has been known since 2023
  • The unsafe deserialization vulnerability CVE-2025-10035, and
  • An as-yet unknown issue pertaining to how the attackers can know a specific private key

In a subsequent report published Thursday, watchTowr said it received evidence of exploitation efforts, including a stack trace, that enables the creation of a backdoor account. The sequence of the activity is as follows -

  • Triggering the pre-authentication vulnerability in Fortra GoAnywhere MFT to achieve remote code execution (RCE)
  • Using the RCE to create a GoAnywhere user named "admin-go"
  • Using the newly created account to create a web user
  • Leveraging the web user to interact with the solution and upload and execute additional payloads, including SimpleHelp and an unknown implant ("zato_be.exe")
CIS Build Kits

The cybersecurity company also said the threat actor activity originated from the IP address 155.2.190[.]197, which, according to VirusTotal, has been flagged for conducting brute-force attacks targeting Fortinet FortiGate SSL VPN appliances in early August 2025. However, watchTowr told The Hacker News that it has not observed any such activity from the IP address against its honeypots.

Given signs of in-the-wild exploitation, it's imperative that users move quickly to apply the fixes, if not already. The Hacker News has reached out to Fortra for comment, and we will update the story if we hear back.

Update

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally confirmed active exploitation of CVE-2025-10035, requiring federal agencies to apply the fixes by October 20, 2025.

"We continue to be confused as to why Fortra is not advising customers of what appears to be clear evidence of in-the-wild exploitation since at least September 10th," Benjamin Harris, CEO and Founder of watchTowr, said in a statement.

"CISA's addition of these vulnerabilities to the exclusive KEV list only adds to this confusion. We urge Fortra to share their viewpoint and would encourage customers to ask Fortra what they should be doing with regards to patching cycles. Is this urgent, or can it wait until Christmas?"

"In-the-wild exploitation aside, the mystery surrounding this vulnerability remains. Per part 1 of our analysis, we are unclear how exploitation of this vulnerability is possible unless a few very scary scenarios have played out – including attackers gaining control over private keys owned by Fortra. Now that in-the-wild exploitation is confirmed by CISA, this mystery only grows."

When reached for comment, Fortra shared the below statement with The Hacker News -

CVE-2025-10035 is primarily relevant to organizations with a GoAnywhere admin console exposed to the internet. Upon identifying the vulnerability, we immediately notified those customers and continue to provide direct updates and support. Our investigation is ongoing, and our security advisory outlines what organizations need to know based on current findings. We will provide additional information as it becomes available.

(The story was updated after publication on September 30, 2025, to reflect confirmation from CISA on the active exploitation status.)

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.