Fresh 0-day in GoAnywhere MFT (CVE-2025-10035) Is Being Actively Exploited

Security researchers warn that attackers are actively exploiting a critical vulnerability, CVE-2025-10035, in Fortra’s GoAnywhere MFT. The flaw, disclosed in mid-September 2025, permits remote command execution without authentication and is already being used in real attacks.

What GoAnywhere MFT does — and why this matters

GoAnywhere MFT is a managed file transfer product used by organizations to share files securely with partners while keeping detailed audit logs of access. It is developed by Fortra (formerly HelpSystems). The product is widely used in enterprises and service providers, which makes vulnerabilities in it particularly high risk.

The vulnerability and vendor response

Fortra published details of CVE-2025-10035 on September 18, 2025. The flaw is a deserialization bug in the License Servlet component and carries a CVSS score of 10.0. It enables command injection if an attacker can present a license response with a valid signature.

Fortra released GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 to address the issue. Administrators unable to patch immediately were advised to block external access to the GoAnywhere admin console.

Evidence of pre-disclosure exploitation

Researchers at WatchTowr Labs say they found convincing evidence that attackers exploited the flaw as a zero-day starting September 10, 2025 — eight days before Fortra’s bulletin. According to the report, attackers:

• Achieved remote command execution via the deserialization flaw.
• Created a hidden admin account named admin-go.
• Used that account to create a web user with apparently legitimate access.
• Uploaded and executed multiple additional payloads.

Among the payloads WatchTowr published are binaries named zato_be.exe and jwunst.exe. The latter is a legitimate SimpleHelp remote-access binary repurposed by attackers to establish persistent control.

The attackers also ran commands such as whoami /groups and saved output to test.txt — a step used to confirm privileges and plan lateral movement and data theft.

Is it one bug or a chain?

Rapid7 analysts say CVE-2025-10035 may be part of a chain rather than a single issue. Their analysis points to three components:

1. An access-control bypass known since 2023.
2. The CVE-2025-10035 deserialization vulnerability.
3. An unknown weakness that allowed attackers to discover a specific private key.

Both WatchTowr and Rapid7 report they could not locate the private key serverkey1, which is required to forge the license response signature needed for exploitation. Both firms note exploitation is feasible only if one of these conditions holds: the private key has been leaked, the license server was tricked into signing a malicious response, or serverkey1 was obtained by some other means.

Impact and attack behavior

Attackers used the forged or otherwise accepted license responses to gain control, establish backdoors, and run additional tools. The use of a legitimate remote-access binary (SimpleHelp) for persistence demonstrates a desire to blend malicious activity into normal administrative workflows.

Because GoAnywhere is often deployed in environments that move sensitive files and audit logs, successful exploitation can expose critical data and enable broader network compromise.

Mitigation steps (immediate)

Security teams should act now:

• Apply GoAnywhere MFT 7.8.4 or Sustain Release 7.6.3 immediately.
• If patching is not possible, block access to the GoAnywhere admin console from the public internet.
• Search for the indicators WatchTowr published (hidden accounts like admin-go, payload names such as zato_be.exe and jwunst.exe, unexpected web users).
• Audit license server logs and look for anomalous license responses or signature activity.
• Investigate any use of SimpleHelp or other remote-access binaries on hosts that would not normally run them.
• Rotate and protect any private keys related to license signing (treat compromise of serverkey1 as a critical incident).

What the researchers say — and open questions

WatchTowr and Rapid7 have published technical details and indicators. Both caution that the full exploitation chain is not yet completely understood, especially how attackers obtained or forged the required license signature. Fortra has issued fixes, but the precise origins of the compromise — leak, server-side signing abuse, or another vector — are still under investigation.