Active Exploitation of Fortra GoAnywhere Vulnerability: Urgent Alert

Introduction to the Issue

Cybersecurity experts at watchTowr Labs have alerted the public to critical security vulnerabilities in Fortra’s GoAnywhere Managed File Transfer (MFT) software. Notably, they indicate that these flaws have been actively exploited since September 10, 2025, which predates the formal announcement of the vulnerability. The rapid response from the cybersecurity community highlights the urgency of addressing these issues.

Understanding the Vulnerability

The specific vulnerability, identified as CVE-2025-10035, centers around a serious deserialization flaw within the License Servlet of the GoAnywhere platform. This weakness allows for command injection without requiring authentication, making it particularly dangerous. Fortra addressed this security hole in GoAnywhere versions 7.8.4 and Sustain Release 7.6.3, released shortly after the vulnerability was disclosed.

Details of the Exploit

According to watchTowr’s analysis, attackers can exploit the vulnerability by sending a specially crafted HTTP GET request to the endpoint located at "/goanywhere/license/Unlicensed.xhtml/." This interaction connects with the License Servlet—specifically, the component at "/goanywhere/lic/accept/." The exploitation process leverages a GUID embedded in the server’s response, allowing attackers to bypass authentication protocols. Although the mechanics of this exploitation are still being analyzed, researchers have confirmed the method’s potential for serious breaches.

Layers of Vulnerability

Additionally, cybersecurity firm Rapid7 has shed light on this issue, categorizing it as a sequence of three interrelated vulnerabilities rather than a standalone flaw. Their assessment outlines the vulnerabilities as follows:

1. Access Control Bypass: A known issue that dates back to 2023.
2. Unsafe Deserialization: The latest vulnerability indicated by CVE-2025-10035.
3. Unknown Exploit: This aspect involves how attackers might discern specific private keys necessary for further exploitations.

Evidence of Exploitation

In a follow-up report, watchTowr shared alarming evidence of ongoing exploitation attempts. Their findings included a stack trace demonstrating the potential for creating unauthorized backdoor accounts. The exploitation sequence is alarming and includes:

• Activating the pre-authentication vulnerability to gain remote code execution (RCE).
• Creating a new user account titled "admin-go."
• Using this newly minted account to generate a web user.
• Through the web user, attackers can upload and execute additional payloads, including various exploits and potentially harmful implants.

Tracking the Threat Actors

The cybersecurity experts tracking this activity identified an IP address—155.2.190[.]197—linked to these exploit attempts. This address has reportedly been associated with prior brute-force attacks targeting Fortinet’s FortiGate SSL VPN appliances, indicating a pattern of malicious activity that needs urgent attention.

Immediate Recommendations for Users

Given the confirmed active exploitation of these vulnerabilities, it is crucial for users of Fortra’s GoAnywhere software to take immediate action. Applying the latest security updates is essential to safeguard sensitive information and maintain the integrity of their systems. Cybersecurity professionals advise that all users should verify their installations and implement the necessary patches as soon as possible.

Conclusion

The recent findings regarding the CVE-2025-10035 vulnerability in Fortra’s GoAnywhere MFT serve as a stark reminder of the risks present in today’s cybersecurity landscape. Ongoing vigilance and prompt updates can significantly mitigate these risks. The cybersecurity community continues to monitor the situation, and additional insights may emerge as further investigations are conducted.