A maximum-severity vulnerability in Fortra's GoAnywhere managed file transfer (MFT) software is being actively exploited by attackers. Tracked as CVE-2025-10035, this flaw is a deserialization issue in the License Servlet that allows unauthenticated remote command execution via a forged license signature. Although Fortra disclosed the vulnerability on September 18, security firm WatchTowr Labs has evidence it was exploited as a zero-day as early as September 10.
The attacks involve creating a backdoor administrator account named 'admin-go' to establish persistent access. Threat actors then upload and execute secondary payloads, including a tool called SimpleHelp, which is abused for hands-on control of compromised systems. The attackers also run commands to assess user privileges, indicating intent for lateral movement within the network.
Fortra has released patched versions (7.8.4 and 7.6.3) and recommends administrators upgrade immediately. As a mitigation, organizations should remove the GoAnywhere Admin Console from public internet access. Admins are also advised to inspect log files for errors containing 'SignedObject.getObject' to check for potential compromise.
Read more...