Fortra’s GoAnywhere managed file transfer (MFT) software was the target of a recent hacking campaign that exploited a zero-day vulnerability in the software’s License Servlet. The flaw, designated CVE-2025-10035, is a deserialization vulnerability that enables attackers to inject commands and gain unauthorized access to a victim’s system. Fortra’s investigation found that a “limited” number of customers were affected, specifically those who had disregarded the vendor’s advice and exposed the MFT admin console to the public internet. The company stated that other web-based components of the GoAnywhere architecture were not affected.
The threat actor, tracked by Microsoft as Storm-1175, is a cybercrime group previously known for exploiting internet-connected applications to deploy Medusa ransomware. According to Microsoft, the impact of CVE-2025-10035 is amplified because successful exploitation allows attackers to perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement. Even after a patch is applied, the threat actor could still have access to a victim’s environment. The vulnerability, which Fortra first addressed in a security advisory on September 18, has a maximum CVSS score of 10, highlighting its severity.
Fortra said it was first alerted to the attacks on September 11, which prompted the company to launch an investigation. It inspected customer logs and analyzed both its on-premises and cloud-based MFT instances for signs of compromise. The same day, the company directly contacted on-premises customers with exposed admin consoles to provide risk mitigation measures and further assistance. These steps demonstrate a proactive approach to containing the security breach and aiding affected clients.
In its review, Fortra discovered three of its own managed-file-as-a-transfer service (MFTaaS) instances showed signs of attempted exploitation. The company immediately isolated these instances for further investigation and notified the affected customers. This shows that the threat was not limited to on-premises installations, although on-premises customers with exposed consoles were the primary targets. The company’s quick response to these attempts underscores its commitment to securing its own infrastructure and protecting its clients.
Despite Fortra’s overall transparency regarding the attack, one key question remains unanswered: how attackers were able to forge valid GoAnywhere MFT licenses. This is a point of concern for security researchers like Benjamin Harris, CEO of watchTowr, who believes this information is crucial for understanding the full scope of the vulnerability. While Fortra’s response has been swift and helpful in many ways, this unresolved detail prevents a complete picture of the attack vector from emerging.
Reference:
