Fortra cops to exploitation of GoAnywhere file-transfer service defect

Fortra, in its most forceful admission yet, confirmed a maximum-severity defect it disclosed in GoAnywhere MFT has been actively exploited in attacks, yet researchers are still pressing the vendor to be more forthcoming about how attackers obtained a private key required to achieve exploitation.

The vendor published a summary of its investigation into CVE-2025-10035 Thursday, three weeks after it publicly addressed the vulnerability in its file-transfer service for the first time. “At this time, we have a limited number of reports of unauthorized activity related to CVE-2025-10035,” the company said. 

“It is positive to see Fortra increase their transparency surrounding the CVE-2025-10035 saga,” Ben Harris, founder and CEO at watchTowr, told CyberScoop. “However, the mystery remains — watchTowr researchers and others are still unclear how this vulnerability could be exploited without access to a private key that only Fortra is believed to have access to.”

Researchers at watchTowr, Rapid7 and VulnCheck last month rang alarm bells about the private key after they independently confirmed the steps attackers would have to take to achieve exploitation. 

“The fact that Fortra has now opted to confirm ‘unauthorized activity related to CVE-2025-10035,’ confirms yet again that the vulnerability was not theoretical, and that the attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability,” Harris said.

The scope of compromise has continued to grow during the past month as Fortra and researchers continue hunting for evidence of active exploitation. Fortra also shared more details about the timeline and actions it took behind the scenes prior to publicly disclosing and addressing the vulnerability. 

Security staff at Fortra began investigating a potential vulnerability after a customer reported suspicious activity Sept. 11. After inspecting customer logs, the company started notifying potentially impacted customers and reported the malicious activity to law enforcement that same day. 

The vendor also said it found three instances in its cloud-based GoAnywhere MFT environment “with potentially suspicious activity related to the vulnerability.” Fortra said it isolated those instances for further investigation and alerted customers using those managed services of potential exposure. 

The company deployed the patch to cloud-based services it hosts for customers Sept. 17, but it has not described the extent to which the vulnerability has been exploited in on-premises customer environments and Fortra-hosted services. The vendor said it updated all company-hosted instances of GoAnywhere MFT, including infrastructure rebuilds.

Fortra did not answer questions submitted by CyberScoop on Monday.

The Cybersecurity and Infrastructure Security Agency added CVE-2025-10035 to its known exploited vulnerabilities catalog Sept. 29, noting the defect has been used in ransomware campaigns. Microsoft Threat Intelligence followed up on that last week, noting that a cybercriminal group it tracks as Storm-1175 has exploited CVE-2025-10035 to initiate multi-stage attacks including ransomware. 

Fortra repeatedly declined to confirm it was aware of active exploitation in the wake of those reports. The company previously added indicators of compromise to its security advisory, but didn’t say it was aware of reports of unauthorized activity related to the defect until Thursday.