Article Details

Ding ding: Fortra rings the perfect-10 bell over latest GoAnywhere MFT bug. Outside experts say the vulnerability has probably already been exploited. Budding ransomware crooks have another shot at exploiting Fortra's GoAnywhere MFT product now that a new 10/10 severity vulnerability needs patching. The vendor issued an advisory for CVE-2025-10035 on Thursday, saying successful exploitation can potentially lead to command injection. Fortra's advisory states "a deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection." It comes more than two years after the vendor issued patches for CVE-2023-0669 (7.2) – a similar vulnerability affecting the License Servlet of GoAnywhere MFT as a Service, also leading to command injection. Reg readers may remember the vulnerability being exploited by criminals working for LockBit and Black Basta – two of the most prolific ransomware crews of their time. Months after discovering the flaw in January 2023, Fortra's own assessment confirmed CVE-2023-0669 was exploited as a zero-day between January 18-31, 2023, by unspecified attackers. Customers were contacted directly and urged to rotate all keys, master keys, and credentials, and scan logs for suspicious admin accounts that should be deleted. This time around, Fortra is encouraging customers to either upgrade to a patched version – either the latest release, 7.8.4, or the Sustain Release 7.6.3 – or to apply the mitigation, which involves ensuring the product's admin console isn't publicly exposed to the web. "Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet," it said in the advisory. Fortra did not confirm whether or not it was aware of the vulnerability already being exploited in the wild.  However, watchTowr Xeeted about the bug, saying "in-the-wild exploitation is likely. Patch now." The researchers at the ever-snarky security shop also noted that the exploitation path for the latest vulnerability is the same as the one used to pop CVE-2023-0669. Almost a year to the day after Fortra alerted the world to CVE-2023-0669, researchers at Horizon3 developed a working exploit for a separate critical bug in GoAnywhere MFT (CVE-2024-0204, 9.8). At the heart of this bug was a classic path traversal affecting Tomcat-based applications – the type of vulnerability CISA has previously tried to peer-pressure vendors from enabling. Managed file transfer apps are always hot targets for cybercriminals, given the access to data they can provide, which if stolen can be used for extortion. For instance, Cl0p's infamous attack on Progress's MOVEit MFT solution in 2023 ultimately led to thousands of organizations being breached, and the data belonging to nearly 96 million people being compromised, per Emsisoft's tracker.