The Fortra GoAnywhere MFT tool, widely used for file transfers, has been under active exploitation since September 10, 2025, through the critical vulnerability CVE-2025-10035, with the maximum CVSS score of 10.0. The flaw allows attackers to execute arbitrary commands without authentication via a deserialization vulnerability in the License Servlet component, completely compromising systems with the administration console exposed to the internet.
CISA officially confirmed the exploitation this Monday, mandating remediation by October 20 for U.S. federal agencies, while researchers from watchTowr Labs identified that attackers had created backdoor administrative accounts in vulnerable instances a week before Fortra’s public disclosure.
The situation is particularly critical considering that, according to watchTowr, more than 20,000 GoAnywhere instances are accessible over the internet. The complexity of the current attack is considered low, requires no user interaction, and has already been observed being used to deploy malicious payloads after the creation of unauthorized web user accounts.
All versions of GoAnywhere MFT prior to 7.8.4 and 7.6.3 (Sustain Release) are vulnerable. Fortra has released security patches, and organizations unable to apply them immediately should ensure the administration console is not publicly exposed to the internet.
Recommendations:
- Immediately update GoAnywhere MFT to versions 7.8.4 or 7.6.3 (Sustain Release), which contain fixes for vulnerability CVE-2025-10035.
- Ensure the GoAnywhere administration console is not publicly accessible on the internet by implementing proper network segmentation and VPN-based access when necessary.
- Review administration audit logs (Admin Audit logs) for suspicious activity, especially the creation of administrative or unauthorized web user accounts.
- Check log files for errors containing the string “SignedObject.getObject”, which may indicate exploitation attempts of the vulnerability, in the format:
"ERROR Error parsing license response java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException" - Implement detection rules in SIEM and EDR systems to identify attack patterns related to CVE-2025-10035, including malformed HTTP requests to the licensing endpoint.
- Conduct a full compromise assessment on instances that were publicly exposed prior to patching, including user account reviews, log analysis, and investigation of compromise indicators.
SEK remains available to assist its clients with patch implementation, compromise assessment, and strengthening security posture.
