Full Report
Forta, the vendor behind the file-transfer service software, has yet to report exploitation or address evidence of compromise. Independent researchers say otherwise. The post Worries mount over max-severity GoAnywhere defect appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Critical Deserialization Flaw in Fortra GoAnywhere MFT with Suspected Active Exploitation
## CVE Details
- CVE ID: CVE-2025-10035
- CVSS Score: Not explicitly provided, but described as **maximum-severity** (implies likely Critical/10.0)
- CWE: Unsafe Deserialization
## Affected Systems
- Products: Fortra GoAnywhere MFT (Managed File Transfer service)
- Versions: All vulnerable versions prior to the patch release (specific versions not listed in the summary).
- Configurations: Applicable to instances where an attacker can send a signed Java object to the target server for verification.
## Vulnerability Description
The vulnerability is an unsafe deserialization flaw in Fortra GoAnywhere MFT. Successful exploitation requires an attacker to send a **signed Java object** to the target server. The vulnerable component verifies this signature using a public key. If the signature is valid, an unsafe deserialization occurs, leading to **Arbitrary Code Execution (ACE)** on the target system. Researchers believe the required private key for signing these objects may have been leaked or stolen, possibly from a cloud-based GoAnywhere license server.
## Exploitation
- Status: **Exploited in the wild** (Reported by independent researchers WatchTowr; vendor Fortra has not confirmed active exploitation publicly but has released IOCs suggesting they believe it is a risk).
- Complexity: **Medium to High**, due to the requirement of a valid signature, which necessitates access to a private key unknown to the public proof-of-concept efforts.
- Attack Vector: **Network**
## Impact
- Confidentiality: High (Implied by potential remote code execution)
- Integrity: High (Implied by potential remote code execution)
- Availability: High (Implied by potential remote code execution leading to system compromise)
## Remediation
### Patches
- Specific patch versions are not detailed in the provided text, but a security advisory (FI-2025-012) has been updated by Fortra indicating a fix is available. Users must consult the official Fortra advisory for the specific patched version.
### Workarounds
- No specific vendor workarounds are detailed, but the nature of the attack suggests that network segmentation or strict control over inbound signed object processing might offer temporary defense until patching.
## Detection
- **Indicators of Compromise:** Fortra has published specific indicators of compromise (IOCs) and stack traces in their advisory. If these traces are found in customer log files, the instance was likely affected.
- **Detection Methods and Tools:** Threat hunters should monitor logs for the stack traces and IOCs provided by Fortra in their security advisory. Researchers noted that the release of these IOCs strongly suggests active threat activity.
## References
- Vendor Advisory: hXXps://www.fortra.com/security/advisories/product-security/fi-2025-012
- WatchTowr Report: hXXps://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/