Researchers raise alarm over maximum-severity defect in GoAnywhere file-transfer service
Researchers warned that a maximum-severity vulnerability affecting GoAnywhere MFT bears striking similarities with a widely exploited defect in the same file-transfer service two years ago.
Fortra, the cybersecurity vendor behind the product, disclosed and released a patch for the vulnerability — CVE-2025-10035 — Thursday. The deserialization vulnerability “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” the company said in a security advisory.
File transfer services are a valuable target for attackers because they store a lot of sensitive data. If cybercriminals exploit these services, they can quickly access information from many users at once, making these services especially attractive for large-scale attacks.
Fortra didn’t provide any evidence of active exploitation and researchers from multiple security firms said they haven’t observed exploitation but expect that to change soon. “We believe that it’s just a matter of time and are monitoring the situation closely,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.
The vulnerability, which has a CVSS rating of 10, is “virtually identical to the description for CVE-2023-0669,” a zero-day vulnerability exploited by Clop, resulting in attacks on more than 100 organizations, and at least five other ransomware groups, Caitlin Condon, vice president of security research at VulnCheck, said in a blog post.
Clop, a highly prolific, financially motivated ransomware group, specializes in exploiting vulnerabilities in file-transfer services. The threat group achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.
“By design, file transfer services process and store sensitive files,” Dewhurst said. “These are a prime target for threat actors, especially ransomware groups, which can use the exposed files as blackmail.”
Stephen Fewer, senior principal researcher at Rapid7, noted that file-transfer services are often exposed to the internet with network credentials supporting data access, storage and flow — factors that create a high-value target for attackers.
The new defect doesn’t require authentication, and deserialization vulnerabilities are typically more reliable than other bugs, including memory-corruption errors, Fewer said.
Researchers aren’t aware of publicly available proof-of-concept exploit code, yet it could exist privately. “As always, if the vulnerability turns out to have been exploited in the wild as a zero-day — which was unclear at time of disclosure — patching alone will not eradicate adversaries from compromised systems,” Condon said.
Fortra told CyberScoop it discovered the vulnerability during a security check Sept. 11. “We identified that GoAnywhere customers with an admin console accessible over the internet could be vulnerable to unauthorized third-party exposure,” Jessica Ryan, public relations manager at Fortra, said in an email.
“We immediately developed a patch and offered customers mitigation guidance to help resolve the issue,” she added.
The managed file-transfer service is one of three GoAnywhere products used by more than 3,000 organizations, including Fortune 500 businesses, according to Fortra.
The vendor appears three times on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, with all three defects added under a two-month period in 2023.
