Researchers from WatchTowr Labs have reported active exploitation of a critical vulnerability in Fortra’s GoAnywhere MFT file transfer management system. Tracked as CVE-2025-10035, the flaw stems from a deserialization bug in the License Servlet component, enabling unauthenticated command injection. Exploitation requires only a forged license response with a valid signature.
Fortra notified its customers of the issue on September 18, though the company had reportedly learned of it about a week earlier. It did not specify how the information was obtained or whether it was already aware of ongoing exploitation. WatchTowr’s report, however, references “reliable confirmation” of attacks beginning on September 10 — eight days before the vendor issued its advisory. This discrepancy led researchers to urge a reassessment of risk management practices, emphasizing that attackers often exploit flaws long before official bulletins are published.
Forensic analysis revealed that once the vulnerability was exploited, attackers achieved unauthenticated remote command execution, created a hidden administrator account named admin-go, and then leveraged it to establish a web user with legitimate access rights. Through this account, they uploaded and executed additional payloads. Among the recovered files were zato_be.exe and jwunst.exe. The latter is a legitimate binary from the remote administration tool SimpleHelp, but in this context, it was repurposed for persistent control over compromised systems.
Adversaries also executed the command whoami/groups, saving the results to a file named test.txt for later exfiltration. This allowed them to map current user privileges and plan lateral movement within the environment.
At the time of publication, Fortra had not commented on WatchTowr’s findings. The vendor has released patches in version 7.8.4 and the 7.6.3 support branch. Security teams are strongly advised to update their systems immediately and, as an interim measure, restrict internet access to the administrative console. Fortra further recommends monitoring logs for entries containing the string “SignedObject.getObject”, which may indicate attempted exploitation.
