Fortra disclosed its findings on CVE-2025-10035 on Thursday. CVE-2025-10035 is a critical security flaw in GoAnywhere Managed File Transfer (MFT) that has been assessed to have been actively exploited since at least September 11, 2025.
The company said it began an investigation on September 11 after a “potential vulnerability” reported by a customer and discovered “potentially suspicious activity” related to the flaw.
On the same day, Fortra announced that it had contacted an on-premises customer identified as having made the GoAnywhere management console accessible to the public Internet and had reported the incident to law enforcement.
The hotfix for software versions 7.6.x, 7.7.x, and 7.8.x was made available the next day, and the complete release incorporating the patch (versions 7.6.3 and 7.8.4) was made available on September 15th. Three days later, it added, a CVE for the vulnerability was officially published.
“The scope of risk of this vulnerability is limited to customers with management consoles exposed to the public internet,” Fortra said. “No other web-based components of the GoAnywhere architecture are affected by this vulnerability.”
However, it acknowledged that there have been a “limited number of reports” of fraud related to CVE-2025-10035. As additional mitigation measures, the company recommends that users limit access to the management console over the Internet, enable monitoring and keep software up to date.
CVE-2025-10035 is a license servlet deserialization vulnerability that could allow command injection without authentication. Microsoft revealed in a report earlier this week that a threat it tracks as Storm-1175 has been exploiting this flaw to deploy Medusa ransomware since September 11th.
However, it is not yet clear how the attacker obtained the private key needed to exploit this vulnerability.
“The fact that Fortra has chosen to confirm (in their words) ‘abuse related to CVE-2025-10035’ proves once again that this vulnerability is not theoretical and that attackers have somehow circumvented or met the necessary encryption requirements to exploit this vulnerability,” said Benjamin Harris, CEO and founder of watchTowr.
Source link
