Threat actors are actively exploiting CVE-2025-10035, a CVSS 10.0 vulnerability in Fortra GoAnywhere MFT that enables unauthenticated remote command execution. Evidence indicates compromises began at least eight days before the vendor’s security advisory, underscoring the urgency to patch and reduce exposure. Fortra has released fixes, but unpatched deployments remain at high risk.
What is CVE-2025-10035 in GoAnywhere MFT?
GoAnywhere MFT is an enterprise managed file transfer platform with secure sharing and auditing capabilities. CVE-2025-10035 stems from a deserialization flaw in the product’s License Servlet. In practical terms, deserialization vulnerabilities occur when an application accepts attacker-controlled serialized data and reconstructs it without sufficient validation, potentially allowing code execution.
In this case, exploitation requires a correctly signed license response. When that condition is met, an attacker can inject and run arbitrary commands on the server without authentication. Fortra disclosed the issue on 18 September 2025 and provides patches in GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3.
Zero‑day exploitation: timeline and indicators of compromise
WatchTowr Labs reports “compelling evidence” that zero‑day exploitation started on 10 September 2025, predating public disclosure by eight days. Observed indicators of compromise (IoCs) include payloads named zato_be.exe and jwunst.exe. The latter is a legitimate binary from the SimpleHelp remote support tool and was used to establish persistence on compromised hosts.
Adversary TTPs and early post‑exploitation steps
Attackers executed whoami /groups to enumerate privileges and group memberships, saving the output to test.txt for later exfiltration. This reconnaissance helps assess opportunities for lateral movement and prioritize follow-on actions across the network.
Exploit mechanics: bug chain and the role of the serverkey1 signing key
According to Rapid7, the issue likely involves a chain of multiple vulnerabilities—at least three—working in concert to achieve reliable exploitation. Both WatchTowr and Rapid7 note they were unable to obtain the private signing key serverkey1, which appears necessary to create a validly signed license response.
Three plausible pathways to weaponization have been outlined: a private key leak, coercing a legitimate licensing server to sign a malicious response, or an unknown method of accessing or abusing the signing process. The lack of public detail about the signing key complicates attribution and elevates the importance of securing licensing infrastructure and related secrets.
Patching and immediate risk reduction measures
Update priority: Apply GoAnywhere MFT 7.8.4 or Sustain 7.6.3 as soon as operationally feasible. Given confirmed in‑the‑wild exploitation, delaying upgrades significantly increases business risk.
Exposure management: Remove public Internet access to the GoAnywhere administrator console and minimize the product’s external attack surface. Place the service behind access controls (VPN, SSO with MFA) and enforce strict network ACLs.
Hunting and detection: Search for zato_be.exe, jwunst.exe, and test.txt. Review process creation logs for suspicious command execution and anomalous outbound connections. Alert on whoami /groups and similar discovery commands in the GoAnywhere context. Leverage EDR/IDS to detect persistence and command-and-control activity.
Hardening and containment: Segment networks to contain blast radius, apply least privilege to service accounts, and tighten outbound egress controls. Inventory and rotate secrets tied to licensing workflows, and monitor access to the license server for anomalies. Where possible, implement tamper‑resistant key management and strict access control for signing keys.
With CVE-2025-10035 confirmed as exploited in the wild and rated at the maximum severity, closing the gap is imperative. Prioritize upgrading to 7.8.4 or 7.6.3 Sustain, reduce external exposure of GoAnywhere MFT, and strengthen key management around licensing. Maintain heightened monitoring for the listed IoCs and reconnaissance commands, and track vendor advisories along with independent research updates to shorten the attacker’s window of opportunity.
