Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

The Maximum Severity Vulnerability in Fortra's GoAnywhere MFT Exposed: A Wake-Up Call for System Administrators




A critical vulnerability in Fortra's GoAnywhere MFT has been exploited by hackers, allowing them to inject commands remotely without authentication. This maximum severity flaw can be leveraged to achieve remote command execution and exfiltrate sensitive data. System administrators are urged to take immediate action to patch their systems and remove public internet exposure for the GoAnywhere Admin Console.

  • Fortra's GoAnywhere MFT software has a maximum severity vulnerability (CVE-2025-10035) that allows attackers to inject commands remotely without authentication.
  • The vulnerability can be exploited by leveraging the deserialization vulnerability in the License Servlet of the GoAnywhere MFT software.
  • Security researchers have observed evidence of exploitation, including a zero-day attack beginning on September 10, 2025.
  • Attackers can create a backdoor account called 'admin-go' and execute remote command execution after exploiting the vulnerability.
  • The attackers also exfiltrate sensitive information by saving the output of the 'whoami/groups' command to a text file (test.txt).
  • Fortra has recommended that admins upgrade to a patched version, remove public internet exposure for the GoAnywhere Admin Console, and inspect log files for errors.



    • In a disturbing turn of events, it has come to light that hackers are actively exploiting a maximum severity vulnerability (CVE-2025-10035) in Fortra's GoAnywhere MFT software. This vulnerability allows attackers to inject commands remotely without authentication, posing significant risks to the security and integrity of an organization's data. The vendor, Fortra, had previously disclosed the flaw on September 18, but it appears that they had not shared any details about how the vulnerability was discovered or if it was being exploited.

    The GoAnywhere MFT software is used for managed file transfer, which involves transferring files between two systems over a network. However, this process can be vulnerable to exploitation by attackers who seek to inject malicious commands into the system. In this case, the deserialization vulnerability in the License Servlet of the GoAnywhere MFT software can be leveraged to inject commands by an actor with a validly forged license response signature.

    Security researchers at WatchTowr Labs have been monitoring the situation and claim that they received credible evidence of Fortra's GoAnywhere CVE-2025-10035 being leveraged as a zero-day. According to their report, this exploitation began on September 10, 2025, which is eight days before Fortra's public advisory was published.

    The WatchTowr report highlights the severity of the situation by describing the stack trace related to exploitation and the creation of a backdoor account. The attackers achieve remote command execution after exploiting the pre-auth deserialization vulnerability and create a backdoor admin account called 'admin-go'. This account is then used to create a web user that enables legitimate access, allowing for further manipulation of the system.

    Furthermore, WatchTowr has observed traces of the CVE-2025-10035 exploitation. The payloads being used are named 'zato_be.exe' and 'jwunst.exe', with the latter being a legitimate binary for the remote access product SimpleHelp. However, in this case, it is being abused to achieve persistent hands-on control of compromised endpoints.

    The attackers also executed the 'whoami/groups' command, which prints the current user account and Windows group memberships, and saved the output to a text file (test.txt) for exfiltration. This allows the threat actor to check the privileges of the compromised account and explore lateral movement opportunities within the breached environment.

    Given that Fortra's advisory has not been updated to include any information about the vulnerability being used in attacks, security researchers are urging system administrators to take immediate action. The recommended course of action is to upgrade to a patched version, either 7.8.4 (latest) or 7.6.3 (Sustain Release). Furthermore, removing public internet exposure for the GoAnywhere Admin Console can serve as an additional mitigation.

    It's also worth noting that Fortra has recommended that admins inspect log files for errors containing the string 'SignedObject.getObject,' to determine if an instance has been impacted by this vulnerability.

    In conclusion, the maximum severity vulnerability in Fortra's GoAnywhere MFT software is a wake-up call for system administrators. The attackers are actively exploiting this vulnerability, and it's essential to take immediate action to protect against potential attacks.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-Maximum-Severity-Vulnerability-in-Fortras-GoAnywhere-MFT-Exposed-A-Wake-Up-Call-for-System-Administrators-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/maximum-severity-goanywhere-mft-flaw-exploited-as-zero-day/

  • https://www.securityweek.com/recent-fortra-goanywhere-mft-vulnerability-exploited-as-zero-day/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-10035

  • https://www.cvedetails.com/cve/CVE-2025-10035/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://www.packetlabs.net/posts/apt-mustang-panda-stolen-pencil-threat-actor-names-demystified/


    • Published: Fri Sep 26 20:27:41 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us