Security researchers have confirmed that threat actors have exploited the maximum-severity vulnerability affecting Fortra’s GoAnywhere managed file transfer (MFT), and chastised the vendor for a lack of transparency.
The experts over at watchTowr, never ones to mince their words, described the revelation as “an increasingly disappointing situation,” criticizing Fortra for not sharing enough details about the exploitation status of CVE-2025-10035.
The Register reported on the vulnerability last week after Fortra disclosed it on September 18. In our story, we noted that Fortra did not confirm whether it was actively being exploited under its “Am I Impacted?” section.
“Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet,” it said at the time.
The watchTowr researchers Xeeted that it was likely that exploits had already been successful, and in their latest blog, they said that they received evidence of attacks using the vulnerability on September 10.
According to watchTowr’s findings, attackers trigger the pre-auth deserialization bug to achieve remote code execution (RCE) capability, then create backdoor admin accounts and web users before executing multiple follow-on payloads.
“Unfortunately, the picture now painted allows for evidence-based confidence in the concern that Fortra’s ‘Am I Impacted?’ section probably was not Fortra attempting to be overly helpful, but a thinly veiled way of sharing ‘Indicators of Compromise,'” the researchers wrote.
They went on to say that, after discovering attacks began eight days prior to Fortra’s advisory, researchers have concluded that defenders are at greater risk because they now have to trawl through even more logs to ensure their systems’ safety.
Benjamin Harris, CEO and founder of watchTowr, said: “After our initial research into GoAnywhere MFT’s CVE-2025-10035 raised more questions than answers, credible evidence shared with the watchTowr team now adds weight to our suspicions.
“This is not ‘just’ a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators — it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025.
“We urge Fortra to clarify the situation. If this evidence and our suspicions hold true, transparency is critical so that organizations using GoAnywhere MFT can make informed decisions, including whether to initiate incident response investigations.”
In a blog published earlier this week, the researchers said GoAnywhere MFT is deployed by organizations in the Fortune 500, and that there were more than 20,000 instances still exposed to the internet. No word on how many of these were unpatched, however.
- Volvo North America confirms staff data stolen following ransomware attack on IT supplier
- Zero-day deja vu as another Cisco IOS bug comes under attack
- Callous crims break into preschool network, publish toddlers’ data
- UK and US security agencies order urgent fixes as Cisco firewall bugs exploited in wild
‘An attacker’s playground’
Given the size of the organizations potentially still vulnerable to CVE-2025-10035, watchTowr said successful exploits could result in “a playground [advanced persistent threat] groups dream about.”
The same product was similarly under the industry’s microscope in 2023 after it was popped by Cl0p using CVE-2023-0669 (7.2) – a zero-day – as part of a series of attacks on MFT vendors, which in total resulted in thousands of compromises at downstream organizations.
“That was the year of MFT exploitation trauma across multiple vendors, burned into the memory of defenders everywhere,” watchTowr said.
After Cl0p had its way with hundreds of GoAnywhere customers in January 2023, in the following months, it then shifted focus to Progress’ MOVEit MFT, which resulted in thousands of compromises affecting roughly 96 million individuals, by Emsisoft’s reckoning.
CISA also confirmed that CVE-2023-0669 was exploited by leading cybercrime gangs at the time, LockBit and BlackBasta, to deploy ransomware.
The Register contacted Fortra for comment and we’ll update this article if and when we receive response. ®
