Close Menu
Cybercrime and Ransomware

Critical 0-Day Exploited in GoAnywhere CVSS 10 Vulnerability Just a Week Before Disclosure

Staff WriterBy No Comments4 Mins Read2 Views

Top Highlights

  1. WatchTowr Labs found credible evidence that the CVE-2025-10035 deserialization vulnerability in Fortra GoAnywhere MFT has been actively exploited since September 10, 2025, even before public disclosure.
  2. The flaw allows attackers to send crafted HTTP requests to bypass authentication, leading to command injection and remote code execution.
  3. Exploitation involves creating backdoor accounts and deploying payloads like malware (e.g., "zato_be.exe") via the compromised system.
  4. Threat actors exploited known access bypass issues, with activity traced to IPs linked to brute-force attacks on Fortinet VPNs, urging immediate patching and remediation.

The Issue

In September 2025, cybersecurity firm watchTowr Labs uncovered that hackers were actively exploiting a critical security flaw—CVE-2025-10035—in Fortra’s GoAnywhere Managed File Transfer (MFT) software well before it was officially disclosed to the public. This vulnerability, linked to the deserialization process within the License Servlet, enables attackers to bypass security controls and execute arbitrary commands remotely. Evidence suggests that malicious actors used this flaw starting around September 10 to gain unauthorized access, create backdoor accounts, and deploy malicious payloads such as malware and remote access tools. The exploitation appears to be part of a broader effort, with the activity traced back to an IP address previously identified for brute-force attacks on other VPN devices, signaling an active campaign targeting the software favored by high-profile cyber threats, including advanced persistent threat (APT) groups and ransomware operators. The report emphasizes the urgency for users to update their systems with the latest patches, as the exploit chain involves multiple vulnerabilities, including pre-existing access control bypasses, making effective mitigation critical.

The report comes from watchTowr, which provides credible evidence of ongoing exploitation, and is supported by other cybersecurity firms like Rapid7, highlighting the complex, multi-layered nature of the attack chain. Although Fortra recently released patches addressing the vulnerability, the early and active exploitation underscores the importance of prompt vulnerability management. The activity has been linked to a specific threat actor originating from an IP known for targeting other security devices, which elevates the risk of widespread, malicious exploitation across organizations using affected versions of GoAnywhere MFT. The cybersecurity community continues to monitor the situation, underscoring the need for immediate action to prevent further compromise.

Risk Summary

The recent exploitation of CVE-2025-10035 in Fortra’s GoAnywhere MFT software exemplifies the escalating cyber risks that can lead to catastrophic impacts, such as remote code execution, unauthorized backdoor creation, and covert data breaches. Active since at least September 10, 2025, threat actors have exploited this deserialization vulnerability to bypass authentication, deploy malicious payloads, and establish persistent footholds within targeted networks, often using stolen or compromised keys. Such exploitation not only jeopardizes sensitive data but also enables further infiltration, ransomware deployment, and disruption of vital organizational operations. Given the active in-the-wild attacks originating from IPs associated with brute-force breaches, rapid patch application becomes critical to mitigate potential widespread damage and preserve organizational integrity amidst increasingly sophisticated cyber threats.

Possible Action Plan

Addressing critical cybersecurity vulnerabilities promptly is essential to prevent widespread exploitation and protect sensitive data. The recent Fortra GoAnywhere CVSS 10 flaw, exploited as a 0-day a week before its public disclosure, underscores the urgent need for swift remediation measures to mitigate severe risks.

Immediate Actions

  • Instantly apply available security patches from Fortra.
  • Conduct a comprehensive vulnerability scan to identify affected systems.

Containment Measures

  • Isolate compromised systems to prevent lateral movement.
  • Disable vulnerable services or functionalities if patches aren’t yet available.

Monitoring & Detection

  • Enable real-time intrusion detection to flag suspicious activity.
  • Monitor logs closely for signs of exploitation attempts.

Preventive Strategies

  • Implement strict access controls and multi-factor authentication.
  • Restrict outbound traffic from affected servers to reduce potential data exfiltration.

Long-term Defenses

  • Regularly update and patch all systems and software.
  • Educate staff on security best practices and awareness.

Stay Ahead in Cybersecurity

Discover cutting-edge developments in Emerging Tech and industry Insights.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.