Particle.news
Download on the App Store
8 ARTICLES
·
1h ago

GoAnywhere CVE-2025-10035 Was Exploited as a Zero-Day Before Patch, Researchers Say

Researchers report credible evidence of real-world abuse targeting internet-exposed Admin Consoles prior to Fortra’s patch release.

Image
Image
Critical CVSS 10 Flaw in GoAnywhere File Transfer Threatens 20,000 Systems
Image

Overview

  • watchTowr says exploitation began around September 10, eight days before Fortra’s September 18 advisory and fixes for the CVSS 10.0 flaw.
  • Attackers reportedly achieved unauthenticated remote code execution, created a backdoor admin, then added a web user to upload and run further payloads.
  • Rapid7 assesses the exploit involves a chain of three issues: a known access control bypass from 2023, the unsafe deserialization bug, and an unresolved question about access to the private key ‘serverkey1’.
  • Fortra describes the issue as a deserialization weakness in the license servlet triggered via a forged license response signature, and it shared IoCs to aid detection.
  • Patches are available in GoAnywhere MFT 7.8.4 and Sustain 7.6.3, with urgent guidance to remove public access to the Admin Console as over 20,000 instances appear exposed online.