"The flaw is described as a deserialization vulnerability in the secure file transfer application's license servlet, which could allow an attacker with a forged license response signature to deserialize a crafted object and achieve command injection. "Immediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet," Fortra warned."
"According to watchTowr, Fortra was eight days late with its patches for CVE-2025-10035, as the issue had been exploited as a zero-day when discovered on September 11. "We have been given credible evidence of in-the-wild exploitation of Fortra GoAnywhere CVE-2025-10035 dating back to September 10, 2025. That is eight days before Fortra's public advisory," watchTowr notes. As part of the observed attacks, hackers triggered the vulnerability for remote code execution (RCE), without authentication, to create a backdoor admin account on vulnerable instances."
A deserialization vulnerability in the GoAnywhere MFT license servlet (CVE-2025-10035, CVSS 10.0) can allow an attacker with a forged license response signature to deserialize a crafted object and achieve command injection. Fortra released a patch on September 18 and provided indicators of compromise for hunting, while warning administrators not to expose the Admin Console publicly. watchTowr reports credible evidence of in-the-wild exploitation dating back to September 10–11, predating the patch by eight days. Observed exploitation enabled unauthenticated remote code execution, creation of backdoor admin accounts, creation of web users, and uploading and execution of additional payloads. Over 20,000 GoAnywhere instances are internet-accessible, including Fortune 500 deployments.
#goanywhere-mft #cve-2025-10035 #deserialization-vulnerability #zero-day-exploitation #remote-code-execution
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]