Cybersecurity company watchTowr Labs has disclosed that it has “credible evidence” of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed.
“This is not ‘just’ a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators – it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025,” Benjamin Harris, CEO and Founder of watchTowr, told The Hacker News.
The vulnerability in question is CVE-2025-10035, which has been described as a deserialization vulnerability in the License Servlet that could result in command injection without authentication. Fortra GoAnywhere version 7.8.4, or the Sustain Release 7.6.3, was released by Fortra last week to remediate the problem.
According to an analysis released by watchTowr earlier this week, the vulnerability has to do with the fact that it’s possible to send a crafted HTTP GET request to the “/goanywhere/license/Unlicensed.xhtml/” endpoint to directly interact with the License Servlet (“com.linoma.ga.ui.admin.servlet.LicenseResponseServlet”) that’s exposed at “/goanywhere/lic/accept/
Armed with this authentication bypass, an attacker can take advantage of inadequate deserialization protections in the License Servlet to result in command injection. That said, exactly how this occurs is something of a mystery, researchers Sonny Macdonald and Piotr Bazydlo noted.
Cybersecurity vendor Rapid7, which also released its findings into CVE-2025-10035, said it’s not a single deserialization vulnerability, but rather a chain of three separate issues –
- An access control bypass that has been known since 2023
- The unsafe deserialization vulnerability CVE-2025-10035, and
- An as-yet unknown issue pertaining to how the attackers can know a specific private key
In a subsequent report published Thursday, watchTowr said it received evidence of exploitation efforts, including a stack trace, that enables the creation of a backdoor account. The sequence of the activity is as follows –
- Triggering the pre-authentication vulnerability in Fortra GoAnywhere MFT to achieve remote code execution (RCE)
- Using the RCE to create a GoAnywhere user named “admin-go”
- Using the newly created account to create a web user
- Leveraging the web user to interact with the solution and upload and execute additional payloads, including SimpleHelp and an unknown implant (“zato_be.exe”)
The cybersecurity company also said the threat actor activity originated from the IP address 155.2.190[.]197, which, according to VirusTotal, has been flagged for conducting brute-force attacks targeting Fortinet FortiGate SSL VPN appliances in early August 2025. However, watchTowr told The Hacker News that it has not observed any such activity from the IP address against its honeypots.
Given signs of in-the-wild exploitation, it’s imperative that users move quickly to apply the fixes, if not already. The Hacker News has reached out to Fortra for comment, and we will update the story if we hear back.
