Full Report
The vendor belatedly admitted the max-severity vulnerability was actively exploited weeks after researchers and officials confirmed as much independently. The post Fortra cops to exploitation of GoAnywhere file-transfer service defect appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Actively Exploited Critical Defect in Fortra GoAnywhere MFT
## CVE Details
- CVE ID: [CVE-2025-10035]
- CVSS Score: [Not explicitly stated, but described as "maximum-severity"]
- CWE: [Not available in summary]
## Affected Systems
- Products: Fortra GoAnywhere MFT (Managed File Transfer service)
- Versions: Specific vulnerable versions are not detailed, but it affects versions addressed by the vendor patch.
- Configurations: Affects both on-premises customer environments and Fortra-hosted/cloud-based services.
## Vulnerability Description
A maximum-severity vulnerability in Fortra GoAnywhere MFT that has been confirmed to be actively exploited in the wild, including in ransomware campaigns (e.g., by Storm-1175). Exploitation reportedly requires circumvention or satisfaction of cryptographic requirements, possibly involving unauthorized access to a private key believed to be held only by Fortra.
## Exploitation
- Status: **Actively exploited in the wild**
- Complexity: Suggested to be complex due to the reliance on unknown means to satisfy cryptographic requirements (access to a private key).
- Attack Vector: [Not explicitly detailed, but exploitation leads to multi-stage attacks including ransomware, implying network access may be sufficient after the initial bypass].
## Impact
- Confidentiality: High (Implied, given the context of ransomware campaigns)
- Integrity: High (Implied, given the context of ransomware campaigns)
- Availability: High (Implied, given the context of ransomware campaigns)
## Remediation
### Patches
- The vendor deployed a patch to cloud-based services on September 17th.
- Patches addressing the vulnerability are available and should be applied immediately to all on-premises installations. (Specific patch versions are not listed in this article summary.)
### Workarounds
- No specific workarounds are mentioned in this summary, but isolation of impacted cloud instances was performed by Fortra.
## Detection
- **Indicators of Compromise (IOCs):** Incident investigation began on September 11th after a customer reported suspicious activity. The vendor updated its security advisory with IOCs previously.
- **Detection Methods and Tools:** CISA has added CVE-2025-10035 to its Known Exploited Vulnerabilities catalog (as of September 29th). Monitoring for signs of multi-stage attacks, particularly ransomware activity linked to the Storm-1175 group, is advised.
## References
- Vendor advisory summary: hxxps://www.fortra[.]com/blog/summary-investigation-related-cve-2025-10035
- CISA KEV entry: hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Security researcher reports mentioned: hxxps://cyberscoop[.]com/goanywhere-vulnerability-active-exploitation-september-2025/
- Microsoft Intelligence report: hxxps://cyberscoop[.]com/microsoft-goanywhere-ransomware-storm-1175/