Researchers raise alarm over maximum-severity defect in GoAnywhere file-transfer service

A newly disclosed vulnerability in GoAnywhere MFT has sparked urgent warnings from security researchers, who say the flaw closely mirrors a notorious zero-day exploited at scale two years ago. The issue, tracked as CVE-2025-10035, carries a maximum CVSS score of 10 and could allow attackers to execute commands on affected systems without authentication.

What happened

Fortra, the company behind GoAnywhere, revealed and patched the vulnerability on Thursday. In a security advisory, the vendor described the issue as a deserialization flaw that “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.”

Fortra told CyberScoop it identified the problem during a security review on Sept. 11 and found that customers with an internet‑accessible admin console could be exposed to unauthorized access. “We immediately developed a patch and offered customers mitigation guidance to help resolve the issue,” Jessica Ryan, Fortra’s public relations manager, said via email.

Why it matters

Managed file transfer (MFT) services are prized targets because they routinely process and store sensitive data from many organizations. If compromised, attackers can pivot quickly to exfiltrate files at scale. “By design, file transfer services process and store sensitive files,” said Ryan Dewhurst, head of proactive threat intelligence at watchTowr. “These are a prime target for threat actors, especially ransomware groups, which can use the exposed files as blackmail.”

Stephen Fewer, senior principal researcher at Rapid7, noted that MFT platforms are often internet-facing and tied into enterprise credentials and data flows—factors that raise their value for adversaries. He also pointed out that deserialization bugs tend to be more reliable to exploit than many memory-corruption issues, and in this case no authentication is required, which increases risk.

Echoes of a major 2023 breach wave

Researchers drew a sharp comparison between CVE-2025-10035 and CVE-2023-0669, a GoAnywhere MFT zero-day exploited by the Clop ransomware group and others in 2023. That earlier campaign impacted more than 100 organizations and sat alongside Clop’s broader spree against file transfer tools, including the MOVEit breach wave that ultimately exposed data from more than 2,300 organizations.

The new flaw is “virtually identical to the description for CVE-2023-0669,” said Caitlin Condon, vice president of security research at VulnCheck, in a blog post. Clop is a prolific, financially motivated group known for weaponizing vulnerabilities in file-transfer services to conduct mass data theft and extortion.

Current exploitation status

Fortra has not reported evidence of active exploitation, and multiple research teams said they haven’t observed in‑the‑wild attacks so far. That may not last. “We believe that it’s just a matter of time and are monitoring the situation closely,” Dewhurst said.

There’s no publicly available proof‑of‑concept exploit code at this time, according to researchers, though they cautioned such code could exist privately. “As always, if the vulnerability turns out to have been exploited in the wild as a zero-day—which was unclear at time of disclosure—patching alone will not eradicate adversaries from compromised systems,” Condon warned.

Who is affected

GoAnywhere MFT is one of three GoAnywhere products used by more than 3,000 organizations, including Fortune 500 companies, according to Fortra. The platform’s typical network placement—internet‑exposed admin consoles or file transfer portals—can widen the blast radius if a critical flaw is exploited. Fortra appears three times in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog, all entries added within a two-month span in 2023.

What defenders should do now

• Apply the vendor patch immediately to all affected GoAnywhere MFT instances.
• Restrict internet exposure of the admin console; place it behind VPNs, SSO, or IP allowlists where possible.
• Review logs for signs of suspicious admin access, unexpected configuration changes, or anomalous command execution.
• Hunt for indicators of compromise dating back to at least Sept. 11, when Fortra discovered the issue.
• Rotate credentials, access tokens, and keys associated with the MFT environment and downstream connected systems.
• Segment MFT infrastructure and enforce least-privilege permissions for service accounts.

The bigger picture

The recurrence of a maximum-severity flaw in a widely deployed file-transfer platform underscores a persistent weakness: systems that centralize sensitive data and require broad connectivity are irresistible targets. Even absent confirmed exploitation, the combination of an unauthenticated attack path and a reliable bug class like deserialization raises the likelihood of rapid weaponization by criminal groups.

Organizations that rely on MFT solutions should treat internet-exposed admin interfaces as exceptional and revisit their security design—tightening access controls, monitoring aggressively, and preparing for incident response that assumes potential data exposure. As the MOVEit and prior GoAnywhere incidents showed, mass exploitation of file-transfer services can unfold quickly, with downstream impacts that take months to fully understand and remediate.

Timeline and vendor response

• Sept. 11: Fortra identifies the vulnerability during a security check.
• Disclosure day: Fortra releases patches and mitigation guidance; researchers flag high risk due to similarity with 2023 zero-day activity.
• Post-disclosure: No confirmed exploitation observed yet, but experts warn that could change rapidly.

With the patch now available and attention intensifying, defenders have a short window to harden their GoAnywhere deployments before opportunistic attackers attempt to replicate the playbook that fueled some of the most consequential data-theft campaigns of recent years.