- CVE-2025-10035 in Goanywhere MFT allows critical command injection through the license servlet
- The exploitation began before public dissemination; Watchtowr found credible evidence in the flow
- Users urged to patch or isolate systems; Past defects led to the main ransomware CL0P violations
GOANYWHERE MFT, a popular solution of managed files transfer, has a maximum severity vulnerability that is currently exploited in nature after safety researchers Watchtowr Labs claim to have found “credible evidence.”
Fortra (the company behind Goanywhere) recently published a new security notice, urging customers to patch CVE-2025-10035.
This is a vulnerability of deerialization in the license servlet that allows threat actors to execute command injection attacks. In other words, it is a hole in the licensing system that could allow the attackers to deceive Goanywhere to execute their code.
Credible evidence
Vulnerability received a maximum gravity rating: 10/10, which means that it is absolutely critical that users parce it. Apart from that, the notice did not say much about possible attackers or current objectives.
However, Watchtowr researchers made: “They have given us credible evidence of exploitation in the flow of Fortra Goanywhere CVE-2025-10035 who date back to September 10, 2025,” the researchers said in their article.
“That is eight days before the public advisor of Fortra, published on September 18, 2025. This explains why Fortra then decided to publish limited IOC, and now we are urging defenders to immediately change how they think about deadlines and risk.”
The best way to protect against attacks is to update a patched version, be it the latest version (7.8.4) or the launch holder 7.6.3.
Those who cannot patch at this time can eliminate Goanywhere from the public Internet through the administration console, and those who suspect that they may have been attacked must inspect the record files in search of errors that contain the ‘signedobject.Getobject’ chain.
At the beginning of 2023, threat actors exploded a defect in Goanywhere MFT to steal data from dozens of organizations worldwide. The Cl0P Ransomware Group affirmed the responsibility, leaked confidential files and demanded payment, making it one of the most harmful supply chain style infractions of the year.
Through Bleepingcomputer
