Unveiling the Complete Timeline of CVE-2025-10035 Exploitation: Fortra’s Journey from Detection to Patch

Fortra Discovers Critical Security Flaw in GoAnywhere MFT Under Active Exploitation

Fortra recently exposed the findings of its investigation into CVE-2025-10035, a severe security vulnerability in GoAnywhere Managed File Transfer (MFT) that has been actively exploited since September 11, 2025.

Following a report from a customer regarding a potential vulnerability, Fortra initiated an investigation on the same day, uncovering suspicious activities associated with the flaw.

The company promptly notified on-premises customers with publicly accessible GoAnywhere admin consoles and alerted law enforcement authorities about the incident.

A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released the following day, with complete patches integrated into versions 7.6.3 and 7.8.4 on September 15. A formal CVE for the vulnerability was published three days later.

The risk associated with CVE-2025-10035 is confined to customers with exposed admin consoles, with other web components of GoAnywhere remaining unaffected.

Although there have been a few reports of unauthorized activity linked to the vulnerability, Fortra recommends users to restrict admin console access online, implement monitoring, and ensure software updates.

CVE-2025-10035 involves a deserialization vulnerability in the License Servlet that could lead to command injection without authentication. Microsoft disclosed that threat actor Storm-1175 has been exploiting this flaw to distribute Medusa ransomware.

However, the method by which threat actors obtained the necessary private keys to exploit the vulnerability remains unclear.

WatchTowr CEO Benjamin Harris emphasized that the confirmation of unauthorized activity related to CVE-2025-10035 underscores the real-world impact of the flaw and the attacker’s ability to bypass the cryptographic requirements.