Cybersecurity company Watchtowr Labs revealed on September 10, 2025, a week before its public disclosure, that there is “trustworthy evidence” of the aggressive exploitation of security flaws recently disclosed in Fortra Goany Where Managed File Transfer (MFT) software.
“This is not “just” the flaw in CVSS 10.0, a solution that APT groups and ransomware operators have long preferred. This is a vulnerability that has been actively exploited in the wild since at least September 10, 2025,” Benjamin Harris told Hacker News.
The vulnerability in question is CVE-2025-10035, which is described as a decolorization vulnerability in the license servlet that can result in command injection without authentication. Fortra GoAny Where version 7.8.4, or Sustain release 7.6.3, was released by Fortra last week and fixed an issue.
According to an analysis published earlier this week by WatchTowr, the vulnerability relates to the fact that it is possible to send a crutified HTTP Get request to “/goanywhere/license/license/unlicensed.xhtml/”. Use the GUID embedded in response to a previous send request: “/goanywhere/lic/accept/”.
Armed with this authentication bypass, an attacker can take advantage of the insufficient deintervention protection of the license servlet to cause command injection. That said, how exactly this happens is a mystery, noted researchers Sony McDonald and Piotr Basidolo.
Cybersecurity vendor Rapid7, who published its findings on CVE-2025-10035, said it was not a single decoupling vulnerability, but a three separate chain of issues –
Access control bypass, known since 2023, is an unknown issue related to the insecure out-of-up vulnerability CVE-2025-10035, and how attackers can know a particular private key
In a subsequent report published Thursday, WatchTowr said it received evidence of exploitation efforts, including stack traces that allow for the creation of backdoor accounts. The sequence of activities is:
Trigger a pre-authentication vulnerability in Fortra goany Where MFT to achieve remote code execution (RCE) using RCE, create a GoAny Where user named “Admin-Go” using the newly created account to re-live web users to interact with the solution, and then add SimpleHelp and Uncation payload (Zato_be.exe)
The cybersecurity company also said the threat activity comes from IP address 155.2.190[.]197 is flagged for carrying out a brute force attack targeting the Fortinet Fortigate SSL VPN appliance, according to Virustotal.
Given the indications of wild exploitation, it is essential that users move quickly even if they still apply fixes. Hacker News contacted Fortra for comments and if we hear, we will update the story.
Source link
