Ethical Hacking News
Fortra has revealed that CVE-2025-10035 was under active exploitation since September 11, when a threat actor took advantage of a deserialization vulnerability in the License Servlet of GoAnywhere MFT software. The incident highlights the ongoing challenge in understanding the tactics and techniques used by sophisticated attackers.
A critical security flaw in GoAnywhere Managed File Transfer (MFT) software has been identified as CVE-2025-10035. The vulnerability was first reported on September 11, 2025, and was under active exploitation by threat actors within hours. The exploit allows attackers to deploy ransomware and other malicious payloads, including Storm-1175 and Medusa ransomware. Fortra has issued mitigations for users of GoAnywhere MFT software, including restricting admin console access and keeping software up-to-date. The incident highlights the need for robust monitoring and patch management to protect against new vulnerabilities.
In recent weeks, a critical security flaw in GoAnywhere Managed File Transfer (MFT) software has been the focus of attention for cybersecurity experts and researchers. CVE-2025-10035, as designated by Fortra, the company that developed the affected software, is a case study in the potential for exploitation by threat actors to deploy ransomware and other malicious payloads.
According to Fortra, the vulnerability was first identified on September 11, 2025, when a customer reported a "potential vulnerability" related to GoAnywhere MFT. Upon further investigation, Fortra discovered "potentially suspicious activity" that indicated the flaw was under active exploitation by threat actors. That same day, the company notified on-premises customers who had their admin console accessible to the public internet and contacted law enforcement authorities about the incident.
As a result of this initial alert, Fortra made available a hotfix for versions 7.6.x, 7.7.x, and 7.8.x of the software, with full releases incorporating the patch – versions 7.6.3 and 7.8.4 – being made available on September 15. Three days later, the CVE-2025-10035 was formally published.
The vulnerability in question concerns a case of deserialization vulnerability in the License Servlet that could result in command injection without authentication. This means that an attacker could potentially inject malicious commands into the system by exploiting this flaw and bypassing authentication mechanisms. The threat that Fortra identified is tracked as Storm-1175, which has been known to deploy Medusa ransomware since September 11, when it was first detected exploiting CVE-2025-10035.
Microsoft, a prominent player in the cybersecurity space, reported on its blog earlier this week that they have been tracking Storm-1175 and were able to identify it as the threat behind several attacks. Microsoft stated that the vulnerability has been in use since September 11, when it was first exploited by the attacker.
It is worth noting that despite the formal publication of the CVE-2025-10035, there is still no clarity on how the threat actors managed to obtain the private keys needed to exploit this vulnerability. This lack of information highlights the ongoing challenge in understanding the tactics and techniques used by sophisticated attackers.
In response to the exploitation of CVE-2025-10035, Fortra has issued additional mitigations for users of GoAnywhere MFT software. These measures include restricting admin console access over the internet, enabling monitoring, and keeping software up-to-date. This advice is in line with best practices for securing managed file transfer systems and underscores the importance of vigilance when it comes to maintaining the security of critical infrastructure.
The publication of the CVE-2025-10035 has been a wake-up call for many organizations that rely on GoAnywhere MFT software, highlighting the need for robust monitoring and patch management. The incident also serves as a reminder of the ongoing threat landscape, where new vulnerabilities are constantly being discovered and exploited by malicious actors.
In conclusion, the recent exploitation of CVE-2025-10035 in GoAnywhere Managed File Transfer (MFT) software is an important reminder of the importance of maintaining robust security controls. As with any critical vulnerability, it is crucial for organizations to act swiftly upon discovery and implement necessary mitigations to protect themselves from potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/CVE-2025-10035-The-Shadowy-Exploitation-of-a-Critical-Security-Flaw-in-GoAnywhere-Managed-File-Transfer-ehn.shtml
https://thehackernews.com/2025/10/from-detection-to-patch-fortra-reveals.html
Published: Thu Oct 16 19:33:58 2025 by llama3.2 3B Q4_K_M
