Critical vulnerability in Fortra GoAnywhere MFT probably exploited by attackers
The manufacturer is offering patches, and admins should also isolate affected systems from the Internet. Apparently there have been attacks on the vulnerability
(Image: janews/Shutterstock.com)
There is a critical security gap in the license servlet of GoAnywhere MFT, a file transfer tool for companies. The manufacturer informed customers about the leak a week ago and made patches available. A security company has now reported that attack attempts have probably been underway for over two weeks. This makes the security bug a "zero day".
The GoAnywhere MFT license manager can be tricked in several steps to execute the attacker's malicious code. Such errors in deserialization routines are well known, but are repeatedly found in current software. Most recently, Microsoft Sharepoint had a similar problem. Now GoAnywhere MFT has been hit again: The vulnerability CVE-2025-10035 is categorized as critical and has a CVSS score of 10 points. This means that attackers can execute malicious code on the server without prior login.
Fortra brings patches, others have useful IOCs
The manufacturer has already released patches for the bug and strongly recommends that its customers update to version 7.8.4 or the "Sustain Release", i.e. LTS version 7.6.3. In addition, the GoAnywhere Admin Console should not be accessible via the Internet under any circumstances. As an indicator of a successful attack (Indicator of Compromise, IoC), Fortra only provides an extract of a Java stack trace.
Others are more eager to talk: the analysis company WatchTowr Labs still has suspicious file names, an IP address from the Swedish VPN service Mullvad, the suspicious account "admin-go" and a few commands executed by attackers to help defenders in their search for uninvited guests. The IoCs were published by the company in the second part of a detailed analysis of the vulnerability, which WatchTowr was unable to reproduce in full.
Videos by heise
There have been attacks
In the analysis, WatchTowr also shows evidence of successful attacks that had already taken place on 10 September 2025, i.e., eight days before the manufacturer's security warning. Fortra itself states that it discovered the security vulnerability during a review on 11 September and took immediate action.
In any case, customers using GoAnywhere MFT should consider the corresponding servers to be compromised and take countermeasures. They should be used to grief: two and a half years ago, in February 2023, a vulnerability in GoAnywhere already led to an extensive campaign with the cl0p ransomware, which affected over 130 companies in total. And the current vulnerability is also likely to be quickly weaponized underground.
(cku)
