What is CVE-2025-10035 and how severe is this vulnerability?

CVE-2025-10035 is a critical security vulnerability in Fortra's GoAnywhere MFT file transfer solution with a CVSS score of 10.0, the highest possible severity rating. This vulnerability is being actively exploited and represents a maximum-risk security flaw that requires immediate attention.

Which component of GoAnywhere MFT is affected by CVE-2025-10035?

The vulnerability resides in the license servlet component of GoAnywhere MFT. This component handles licensing functionality within the file transfer solution and has become a target for active exploitation by threat actors.

What should organizations do to protect against CVE-2025-10035?

Organizations should immediately upgrade to either GoAnywhere MFT version 7.8.4 (latest release) or GoAnywhere MFT version 7.6.3 (LTS/Sustain Release). Fortra strongly recommends updating installations immediately and ensuring that GoAnywhere Admin Console interfaces are not accessible via the Internet under any circumstances.

What makes CVE-2025-10035 particularly dangerous for organizations?

CVE-2025-10035 is particularly dangerous because it achieved the maximum CVSS score of 10.0, was actively exploited as a zero-day before public disclosure, and affects a widely-used file transfer solution. The vulnerability allows attackers to potentially compromise systems that handle sensitive data transfers between organizations.

What additional security measures should be taken beyond patching CVE-2025-10035?

Beyond immediate patching, organizations should ensure that GoAnywhere Admin Console interfaces are not accessible via the Internet under any circumstances. This network isolation helps prevent external attackers from accessing vulnerable management interfaces and reduces the overall attack surface.

Attack

Critical vulnerability in Fortra GoAnywhere actively exploited

Q: Which versions of GoAnywhere MFT are vulnerable to CVE-2025-10035?

All GoAnywhere MFT versions below 7.8.4 and 7.6.3 are affected by this critical vulnerability. Organizations running any version prior to these releases should consider their systems potentially compromised and take immediate remediation actions.

published: Sept. 26, 2025

Take action: If you're using Fortra GoAnywhere MFT file transfer software, THIS IS URGENT. You are being hacked. First step - SHUT IT DOWN. Second step - isolate it from the internet. Ideally, reinstall the server from scratch since it may already be hacked. At minimum, review the indicators of compromise and logs.

Learn More

Fortra is reporting that the critical security vulnerability CVE-2025-10035 (CVSS score 10.0) in its GoAnywhere MFT file transfer solution is being actively exploited.

The vulnerability resides in the license servlet component. Security researchers have confirmed that exploitation attempts began on September 10, 2025, approximately eight days before Fortra issued its official security advisory, making this a zero-day vulnerability that was actively exploited before public disclosure.

Affected versions are All GoAnywhere MFT versions below 7.8.4 and 7.6.3. Organizations running any version prior to these releases should consider their systems potentially compromised and take immediate remediation actions.

Organizations should immediately upgrade to one of the following versions:

GoAnywhere MFT version 7.8.4 (latest release)
GoAnywhere MFT version 7.6.3 (LTS/Sustain Release)

The manufacturer strongly recommends that customers update their installations immediately and ensure that GoAnywhere Admin Console interfaces are not accessible via the Internet under any circumstances.

System administrators should immediately check their audit logs for error messages containing "ERROR Error parsing license response" followed by Java deserialization stack traces, which may indicate successful exploitation attempts.

Update - as of 6th of October 2025, Microsoft Threat Intelligence confirmed that a cybercrime group it tracks as Storm-1175, a known Medusa ransomware affiliate, is actively exploiting this vulnerability since September 11, 2025, a full week before Fortra publicly disclosed the flaw on September 18, 2025.

The attack chain began with the exploitation of the then-zero-day deserialization vulnerability to gain initial access to target networks. To maintain persistent access to compromised systems, the threat actors installed legitimate remote monitoring and management tools, like SimpleHelp and MeshAgent.

After the initial compromise, the hackers ran a series of discovery commands to enumerate users and system information on the compromised hosts and installed network scanning tools such as Netscan for network reconnaissance and discovery activities. Then they used Microsoft Remote Desktop Connection client (mstsc.exe), to move through the internal network.

For command and control infrastructure, the attackers utilized the deployed RMM tools and established a Cloudflare tunnel to ensure secure and encrypted communication channels with their command servers. During the data exfiltration stage, Microsoft observed the deployment and execution of Rclone, a cloud storage synchronization tool. In one compromised environment the Medusa ransomware was installed which encrypted the victim files for ransom.

Critical vulnerability in Fortra GoAnywhere actively exploited

Read More
FreePBX Servers under active zero-day attack
Multiple exploited critical vulnerabilities reported in PTZOptics and …
Newest Ivanti critical vulnerability massively exploited
The critical Erlang/OTP SSH flaw actively exploited targeting …
Cisco patches actively exploited Zero-Day vulnerability in IOS …