Actively Exploited GoAnywhere MFT Zero-Day Vulnerability CVE-2025-10035 (CVSS: 10)

Estimated reading time: 10 minutes

Key Takeaways:

  • CVE-2025-10035 is a critical deserialization vulnerability in Fortra’s GoAnywhere MFT.
  • The vulnerability allows for remote command execution, potentially leading to full system compromise.
  • Exploitation occurred in the wild before a patch was available, making it a zero-day.
  • Immediate patching, restricted access, and continuous monitoring are crucial mitigation steps.
  • PurpleOps offers services to help organizations detect and respond to such threats.

Table of Contents:

CVE-2025-10035: Actively Exploited GoAnywhere MFT Zero-Day Vulnerability

On September 25th, 2025, watchTowr Labs revealed that a recently disclosed vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) – **CVE-2025-10035** (CVSS: 10) – had been actively exploited in the wild. This blog post provides a detailed analysis of the vulnerability, its potential impact, and recommended mitigation strategies. The exploitation of CVE-2025-10035 underscores the importance of real-time ransomware intelligence, proactive breach detection, and comprehensive cyber threat intelligence platforms.

Fortra disclosed CVE-2025-10035 on September 18th, 2025, providing patches to address the flaw. This critical vulnerability is a deserialization issue within the License Servlet of GoAnywhere MFT. The vulnerability allows an attacker to forge a valid license response signature, enabling the deserialization of an arbitrary, attacker-controlled object. This can lead to command injection, potentially compromising the entire system.

WatchTowr Labs published a detailed Proof-of-Concept (PoC) exploit code for CVE-2025-10035 on September 24th, 2025. The firm confirmed that active exploitation of the vulnerability occurred as early as September 10th, 2025, effectively classifying it as a zero-day vulnerability.

Fortra stated that exploiting CVE-2025-10035 requires systems to be exposed to the internet. Consequently, any unpatched, internet-facing instances of GoAnywhere MFT are at high risk. Given the vulnerability’s potential to bypass authentication and inject commands, organizations are strongly advised to apply security patches immediately.

Technical Breakdown of CVE-2025-10035

CVE-2025-10035 is a deserialization vulnerability that arises from the way GoAnywhere MFT handles license validation. Deserialization is the process of converting a data format back into an object that can be used by an application. When this process is not properly secured, attackers can manipulate the serialized data to inject malicious code, leading to arbitrary code execution.

In the case of CVE-2025-10035, an attacker can forge a valid license response signature. This tricks the GoAnywhere MFT server into deserializing a malicious object. This object contains commands that the attacker wants to execute on the server. Once deserialized, these commands are executed with the privileges of the GoAnywhere MFT application, potentially leading to a complete system compromise.

Timeline of Events

The following timeline outlines the key events related to CVE-2025-10035:

  • September 10, 2025: watchTowr Labs receives credible evidence indicating that the vulnerability had been exploited in the wild.
  • September 11, 2025: Fortra claims the vulnerability was initially discovered during a “security check.”
  • September 18, 2025: Fortra discloses CVE-2025-10035 and releases patches.
  • September 24, 2025: watchTowr Labs publishes a detailed Proof-of-Concept (PoC) exploit code for CVE-2025-10035.
  • September 25, 2025: watchTowr Labs publishes a follow-up report confirming active zero-day exploitation.

This timeline suggests that the vulnerability was actively exploited before a patch was available, highlighting the critical nature of zero-day vulnerabilities and the need for proactive security measures.

Observed Attack Details

WatchTowr Labs provided details on the observed attacks. Threat actors exploited CVE-2025-10035 to achieve Remote Code Execution (RCE) and create a backdoor administrator account named ‘admin-go’. This account was then used to create a web user, granting legitimate access to the solution. This allowed the threat actor to upload and execute secondary payloads. The motivation behind the attacks and specific threat actor attribution remain unknown.

Indicators of Compromise (IOCs)

The following Indicators of Compromise (IOCs) have been identified in connection with CVE-2025-10035:

  • Attacker IP Address: 155.2.190[.]197
  • Malware Executable (zato_be.exe): 68c4abcb024c65388db584122eff409fb8459e0ca930c717f2217b90e6f2f5bc
  • Malware Executable (jwunst.exe): a72fa3b5bdd299579a03b94944e2b0b18f1bf564d4ff08a19305577a27575cc8

These IOCs can be used to identify potentially compromised systems and track attacker activity. Regularly monitoring for these indicators using threat intelligence platforms and security information and event management (SIEM) systems is crucial for detecting and responding to attacks.

Historical Context: GoAnywhere MFT Vulnerabilities

GoAnywhere MFT vulnerabilities have been targeted by threat actors in the past. CVE-2023-0669, a zero-day vulnerability, was exploited by the Cl0p ransomware group in February 2023. The attackers targeted exposed GoAnywhere MFT Admin Consoles, leading to Cl0p ransomware deployment and data extortion. This historical context demonstrates the importance of promptly patching GoAnywhere MFT instances and implementing robust security measures.

This reinforces the need for continuous supply-chain risk monitoring to identify and mitigate vulnerabilities in third-party software.

To mitigate the risk posed by CVE-2025-10035, organizations should take the following steps:

  1. Apply Security Patches: After performing a business impact review, apply the security patches released by Fortra immediately. Ensure that you are running GoAnywhere MFT version 7.8.4 or the Sustain Release 7.6.3.
  2. Restrict External Access: Limit external access to GoAnywhere MFT’s Admin Console. Implement access control lists (ACLs) and firewall rules to restrict access to authorized users and networks.
  3. Monitor for IOCs: Continuously monitor systems for the IOCs associated with CVE-2025-10035. Utilize threat intelligence feeds and SIEM systems to detect suspicious activity.
  4. Implement Web Application Firewall (WAF): A WAF can help filter out malicious traffic and prevent exploitation attempts targeting web applications, including GoAnywhere MFT’s Admin Console.
  5. Conduct Regular Vulnerability Assessments: Perform regular vulnerability assessments to identify and remediate security weaknesses in your environment.
  6. Implement Network Segmentation: Segment your network to limit the impact of a potential breach. Isolate critical systems, such as GoAnywhere MFT servers, from other parts of the network.
  7. Enable Multi-Factor Authentication (MFA): Enforce MFA for all user accounts, including administrator accounts, to prevent unauthorized access.
  8. Utilize a Dark Web Monitoring Service: Monitor the dark web for mentions of your organization, GoAnywhere MFT deployments, and related sensitive information. This can provide early warning of potential threats and data breaches.

Practical Takeaways

For Technical Readers:

  • Patch Management: Implement a rigorous patch management process to ensure that all systems are promptly updated with the latest security patches.
  • Intrusion Detection: Deploy intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and block exploitation attempts.
  • Log Analysis: Regularly review logs for suspicious activity and anomalies. Correlate logs from different sources to gain a comprehensive view of your security posture.
  • Incident Response Plan: Develop and maintain an incident response plan to effectively respond to security incidents. This plan should include procedures for identifying, containing, eradicating, and recovering from attacks.

For Non-Technical Readers:

  • Awareness Training: Provide regular security awareness training to employees to educate them about common threats and how to avoid them.
  • Risk Assessment: Conduct regular risk assessments to identify and prioritize security risks. This will help you allocate resources effectively and focus on the most critical areas.
  • Vendor Management: Establish a vendor management program to assess the security posture of your third-party vendors. This includes reviewing their security policies, conducting due diligence, and monitoring their security performance.
  • Business Continuity Planning: Develop a business continuity plan to ensure that your organization can continue operating in the event of a security incident or other disruption.

How PurpleOps Can Help

PurpleOps offers a range of PurpleOps Solutions to help organizations protect against vulnerabilities like CVE-2025-10035 and other cyber threats. Our offerings include:

  • Cyber Threat Intelligence Platform: Gain access to real-time ransomware intelligence and threat data to proactively identify and mitigate threats.
  • Breach Detection: Our advanced breach detection capabilities can help you quickly identify and respond to security incidents.
  • Supply-Chain Risk Monitoring: We provide comprehensive supply-chain risk monitoring to identify and manage vulnerabilities in your third-party software.
  • Underground Forum Intelligence: Our dark web monitoring service and underground forum intelligence capabilities can provide early warning of potential threats and data breaches.
  • Brand Leak Alerting: Protect your brand reputation with our brand leak alerting service, which monitors for unauthorized use of your brand assets.
  • Managed Detection and Response (MDR): Our MDR services provide 24/7 monitoring and response to security incidents, ensuring that threats are quickly contained and eradicated.
  • Penetration Testing: We offer penetration testing services to identify vulnerabilities in your systems and applications before they can be exploited by attackers.
  • Red Team Operations: Our red team operations simulate real-world attacks to test your organization’s security defenses.

Conclusion

The active exploitation of the GoAnywhere MFT zero-day vulnerability, CVE-2025-10035, underscores the importance of proactive security measures, including prompt patching, access control, and continuous monitoring. Organizations should implement the recommended mitigation steps to protect their systems and data from potential attacks. By leveraging PurpleOps’ comprehensive suite of PurpleOps Solutions, businesses can enhance their security posture and mitigate the risks associated with emerging threats.

To learn more about how PurpleOps can help you protect your organization from cyber threats, explore our PurpleOps Solutions or contact us for more information.

FAQ

What is CVE-2025-10035?
CVE-2025-10035 is a critical deserialization vulnerability in Fortra’s GoAnywhere MFT that allows attackers to execute arbitrary commands on the system.

How can I protect my organization from this vulnerability?
Apply security patches immediately, restrict external access to GoAnywhere MFT’s Admin Console, monitor for IOCs, and implement a Web Application Firewall (WAF).

What is a zero-day vulnerability?
A zero-day vulnerability is a flaw that is exploited before a patch is available, making it particularly dangerous.

What services does PurpleOps offer to help mitigate cyber threats?
PurpleOps offers a Cyber Threat Intelligence Platform, breach detection, supply-chain risk monitoring, dark web monitoring, and Managed Detection and Response (MDR) services, among others.