A vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) system, tracked as CVE-2025-10035, has been confirmed as actively exploited in the wild even before its public disclosure, based on analysis by security firm watchTowr and corroborated by media outlets. This flaw, residing in the License Servlet, stems from unsafe deserialization and enables attackers holding a forged license response signature to execute arbitrary commands without authentication. Evidence indicates that exploitation dates back to September 10, eight days ahead of the vendor’s advisory on September 18. The attack chain reportedly involves creation of a backdoor admin account (named “admin-go”), deployment of secondary payloads, and misuse of a remote support binary for persistent control. Remediation is available via updates to GoAnywhere MFT version 7.8.4 or Sustain Release 7.6.3, and administrators are urged to restrict Internet exposure of the Admin Console and hunt for indicators like stack traces referencing SignedObject.getObject.
Sources: Bleeping Computer, HelpNet Security, Rapid 7
Key Takeaways
– The GoAnywhere MFT flaw CVE-2025-10035 is rated at the highest severity (CVSS 10.0) and permits unauthenticated remote command execution via a deserialization vulnerability in its License Servlet.
– Evidence from security researchers indicates that the vulnerability was exploited in real-world attacks starting before the patch was publicly disclosed, creating a gap period of elevated risk.
– Organizations using GoAnywhere should upgrade immediately to the fixed versions (7.8.4 or 7.6.3), disable public exposure of the Admin Console, and scan logs for signs of compromise—especially references to SignedObject.getObject.
In-Depth
GoAnywhere MFT is widely used in enterprises to automate and secure file exchanges. Because it handles sensitive data and communicates with external systems, it’s a compelling target for attackers. The recently disclosed vulnerability, CVE-2025-10035, is especially dangerous: it resides in the License Servlet component, which handles responses related to licensing activities. In insecure implementations, an attacker can submit a crafted “license response” payload, forcing the system to deserialize attacker-controlled data—leading to a command injection if conditions align.
What makes this attack even more chilling is that it doesn’t require prior authentication. If the attacker can supply a forged license signature (possibly via having or deducing a private-key or by abusing flaws in the flow), they can trigger execution of malicious code. Once inside, attackers may create new administrative accounts—witness the observed “admin-go” account—spin up web users, and upload implants. In one reported case, they used a legitimate remote access tool (SimpleHelp) to maintain persistence and control.
The timeline is critical. WatchTowr reports that the exploit began September 10, whereas the vendor’s public advisory arrived September 18. That eight-day window provided attackers a head start to compromise vulnerable systems before defenders were even aware of the risk. This gap underscores an essential truth in security: patching is urgent, but detection and preemptive defense are equally vital.
On the remediation front, Fortra has published a patch and advisory (FI-2025-012) recommending upgrade to version 7.8.4 or, for those on the “Sustain” line, 7.6.3. They also advise that the Admin Console should not be exposed to the public internet and that defenders review logs for stack traces notably containing SignedObject.getObject—a telltale sign of exploitation. Meanwhile, independent analysis (e.g. by Rapid7) suggests the issue is not just a simple deserialization flaw, but part of a chain involving an access-control bypass (dating to prior years) and a mechanism by which attackers might obtain or trick the system into using the necessary private key to validate forged payloads.
For organizations using GoAnywhere MFT, the key steps should be as follows:
1. Immediately patch to 7.8.4 or 7.6.3.
2. Disable or firewall off public access to administrative or licensing endpoints.
3. Hunt for signs of compromise—especially weird license POSTs, creation of backdoor accounts, anomalous traffic, or logs referencing SignedObject.getObject.
4. Assume compromise is possible during the window before patch deployment, and conduct a full security audit or incident response as needed.
This event is a stark reminder that even mature, enterprise tools remain vulnerable—and that threat actors frequently gain the upper hand by acting during the period between private discovery and public patching. Vigilance, rapid response, and layered defenses remain essential guards against such risks.