Recent Exploitation of Fortra GoAnywhere MFT Vulnerability Raises Alarms
Overview of the Vulnerability
A serious security flaw in Fortra’s GoAnywhere Managed File Transfer (MFT) application has come to light, sparking concerns within the cybersecurity community. Reports from cybersecurity firm watchTowr indicate that exploitation of this vulnerability, classified as CVE-2025-10035, began a week prior to the release of any patches. This particular flaw has received a critical CVSS score of 10 out of 10, highlighting its severity.
Timeline of Disclosure and Exploitation
On September 18, Fortra addressed the security defect, yet they did not initially acknowledge that it had been actively exploited. Instead, the company provided indicators of compromise (IoCs) to assist organizations in identifying potential attacks. However, watchTowr asserts that the exploitation began as early as September 10, indicating an eight-day gap between awareness of the vulnerability and the public advisory.
Nature of the Security Flaw
The vulnerability itself is rooted in deserialization issues within the license servlet of the GoAnywhere application. This flaw could allow an attacker, utilizing a counterfeit license response signature, to execute command injections after deserializing specifically crafted objects. Given the underlying nature of the issue, access to the GoAnywhere Admin Console is pivotal, as Fortra warns that this exploitation heavily depends on external exposure.
In-the-Wild Exploitation Details
Reportedly, hackers exploited the vulnerability for remote code execution (RCE), successfully creating backdoor administrative accounts on vulnerable systems without needing authentication. Following this, they were able to generate web user accounts, which granted them access to the MFT service. From there, the attackers uploaded and executed additional malicious payloads.
Prevalence of Vulnerable Instances
A technical analysis highlighted by watchTowr revealed that there are over 20,000 instances of GoAnywhere MFT accessible via the internet, including systems associated with several Fortune 500 companies. The wide accessibility significantly raises the stakes, making it a critical concern for enterprises relying on this system.
Complexities of the Vulnerability
Rapid7, another cybersecurity entity conducting an analysis, elaborated on the complexity behind this security defect. They argued that the issue is not merely a straightforward deserialization problem. Instead, it involves a sequence of three separate bugs, which includes an access control bypass that has been known since earlier in 2023, and the unsafe deserialization issue itself. A third, as-yet unidentified issue pertains to how attackers might ascertain a specific private key necessary for full exploitation.
Historical Context and Related Flaws
Back in February 2023, an access control bypass was flagged, particularly when Fortra patched a pre-authentication remote code execution bug in GoAnywhere MFT, previously exploited as a zero-day. Both watchTowr and Rapid7 have struggled to locate the private key, referred to as ‘serverkey1,’ which is essential for forging the license response signature required to exploit CVE-2025-10035 successfully.
The companies suggest that the security flaw could be exploited if the private key was leaked or if attackers managed to trick a license server into signing a malicious signature. There’s also the possibility that unauthorized access to the private key occurred through unknown channels.
Conclusion
As incidents involving cybersecurity vulnerabilities continue to emerge, this case underlines the imperative for organizations to remain vigilant. Companies using Fortra GoAnywhere MFT should take proactive measures to secure their systems, especially concerning exposed administrative consoles. The complexity and potential impact of this vulnerability serve as a reminder of the shifting landscape of cybersecurity threats.
