- CVE-2025-10035 in GoAnywhere MFT allows critical command injection via license servlet
- Exploitation began before public disclosure; WatchTowr found credible in-the-wild evidence
- Users urged to patch or isolate systems; past flaws led to major Cl0p ransomware breaches
GoAnywhere MFT, a popular managed file transfer solution, is carrying a maximum-severity vulnerability currently being exploited in the wild after security researchers WatchTowr Labs claim to have found “credible evidence”.
Fortra (the company behind GoAnywhere) recently published a new security advisory, urging customers to patch CVE-2025-10035.
This is a deserialization vulnerability in the License Servlet that allows threat actors to run command injection attacks. In other words, it’s a hole in the license-checking system that could let attackers trick GoAnywhere into running their code.
Credible evidence
The vulnerability was given a maximum severity rating - 10/10, meaning it’s absolutely critical that users patch it. Other than that, the advisory did not say much about potential attackers, or current targets.
WatchTowr’s researchers did, though: "We have been given credible evidence of in-the-wild exploitation of Fortra GoAnywhere CVE-2025-10035 dating back to September 10, 2025," the researchers said in their writeup.
"That is eight days before Fortra's public advisory, published September 18, 2025. This explains why Fortra later decided to publish limited IOCs, and we're now urging defenders to immediately change how they think about timelines and risk."
The best way to protect against the attacks is to upgrade to a patched version, either the latest release (7.8.4), or the Sustain Release 7.6.3.
Those who cannot patch at this time can remove GoAnywhere from the public internet through the Admin Console, and those who suspect they may have been targeted should inspect log files for errors containing the string 'SignedObject.getObject,'.
In early 2023, threat actors exploited a flaw in GoAnywhere MFT to steal data from dozens of organizations worldwide. The ransomware group Cl0p claimed responsibility, leaking sensitive files and demanding payment, turning it into one of the year’s most damaging supply-chain style breaches.
Via BleepingComputer
You might also like
- Ransomware hackers could be targeting GoAnywhere MFT once again - here's what we know
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
