Security expert questions Fortra’s response to latest GoAnywhere MFT vulnerability

“Currently, there is no known public exploit code available for the new vulnerability, CVE-2025-10035, and the vendor has not reported CVE-2025-10035 as having been exploited in the wild,” Stephen Fewer, a security engineer at Rapid7, said in a 20 September blog post.

“However, given the nature and history of this product, this new vulnerability should be treated as a significant threat.”

While the vulnerability itself is almost certainly exactly that – “a significant threat” – another expert is just as worried about how Fortra has framed its disclosure, and that malicious actors are already exploiting the new vulnerability.

“When we saw the IOCs and stack traces included in Fortra’s advisory, our first reaction was simple: this feels bad,” Benjamin Harris, CEO and founder of watchTowr, told Cyber Daily.

“In our experience, vendors rarely provide that level of detection detail unless there’s evidence of exploitation in the wild (if there’s no exploitation, why would there be evidence of expectation in customer log files?).

“The sharing of those IOCs makes us logically uneasy, because it strongly suggests that attackers may already be active. For a purely theoretical vulnerability, you’d typically expect the guidance to stop at version checks and patching, not to dig into logs looking for signs of compromise. The fact that Fortra went further implies this isn’t just a hypothetical risk – and this is not one to gamble on.”

VIEW ALL

Harris said that watchTowr’s research found that there was clearly an unauthenticated path straight into deserialization via the platform’s License Servlet, but that while a SignedObject signature check should prevent any malicious activity, Fortra’s patch for CVE-2025-10035 didn’t make any changes to the signature logic. Instead, it just addressed the deserialisation flow itself.

This, Harris said, was particularly puzzling.

Curioser & curiouser

“Exploitation of this vulnerability would require forging a signed object, which means an attacker would need access to Fortra’s private key. Only the public key is shipped with the product, so we cannot generate valid signatures ourselves,” Harris said.

“We can only speculate on how an attacker might obtain access: a leaked private key, misuse of Fortra’s licensing servers, or a bypass we haven’t yet uncovered. At this point, we have no evidence to confirm any of those possibilities.

“What is clear from our analysis is that remote code execution doesn’t seem achievable without the private key. That leaves three possibilities: Fortra made a mistake, we made a mistake, or Fortra believes someone has obtained the private key.”

Essentially, the signature check is all that is stopping this vulnerability from naturally evolving to remote code execution. According to Harris, “the private key is the missing piece that determines whether this attack path is actually viable”.

“Additionally, Fortra rated this CVSS 10.0 and warned that it could lead to command injection – a strong statement. They went further than most vendors by publishing stack traces in their advisory,” Harris said.

“That level of disclosure is unusual and raised our eyebrows. We do not dispute that they may have found it on Sept. 11, but the way it has been communicated leaves unanswered questions.”

Harris’s bottom line, gut feeling, is that this feels very wrong, and Fortra’s advisory is deeply problematic.

“The presence of IOCs suggests exploitation may already be happening. We have not yet been able to produce a working exploit because of the signature check, which we believe can only be satisfied by someone with the private key. Given this, and the changes to the code base, we believe Fortra is aware of this.”

The plot, however, has well and truly thickened, however. While writing this feature, the United States Cybersecurity & Infrastructure Security Agency has added CVE-2025-10035 to its Known Exploited Vulnerability Catalog, a clear indicator of ongoing malicious activity targeting GoAnywhere MFT.

For its part, though, Fortra's advisory makes no mention of active exploitation.

Mystery & confusion

“We continue to be confused as to why Fortra is not advising customers of what appears to be clear evidence of in-the-wild exploitation since at least September 10th. CISA’s addition of these vulnerabilities to the exclusive KEV list only adds to this confusion. We urge Fortra to share their viewpoint and would encourage customers to ask Fortra what they should be doing with regards to patching cycles. Is this urgent, or can it wait until Christmas?” Harris said.

“In-the-wild exploitation aside, the mystery surrounding this vulnerability remains. Per part 1 of our analysis, we are unclear how exploitation of this vulnerability is possible unless a few very scary scenarios have played out – including attackers gaining control over private keys owned by Fortra. Now that in-the-wild exploitation is confirmed by CISA, this mystery only grows.”

In response, Fortra said it is still looking into the vulnerability and that the issue only impacts a portion of its customers. The company has not clarified if it is aware of active exploitation.

“CVE-2025-10035 is primarily relevant to organisations with a GoAnywhere admin console exposed to the internet,” a Fortra spokesperson told Cyber Daily.

“Upon identifying the vulnerability, we immediately notified those customers and continue to provide direct updates and support. Our investigation is ongoing, and our security advisory outlines what organisations need to know based on current findings. We will provide additional information as it becomes available.”