Recent Fortra GoAnywhere MFT Vulnerability Exploited as Zero-Day

Exploitation of a recently disclosed Fortra GoAnywhere MFT vulnerability started at least one week before patches were released, cybersecurity firm watchTowr reports.

Fortra fixed the security defect, tracked as CVE-2025-10035 (CVSS score of 10/10), on September 18, making no mention of its in-the-wild exploitation, but sharing indicators-of-compromise (IoCs) to help organizations hunt for potential attacks.

The flaw is described as a deserialization vulnerability in the secure file transfer application’s license servlet, which could allow an attacker with a forged license response signature to deserialize a crafted object and achieve command injection.

“Immediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet,” Fortra warned.

According to watchTowr, Fortra was eight days late with its patches for CVE-2025-10035, as the issue had been exploited as a zero-day when discovered on ...