Particle.news
Download on the App Store
9 ARTICLES
·
3h ago

Researchers Say GoAnywhere CVSS 10 Flaw Was Exploited as Zero-Day Before Disclosure

The attack chain hinges on a forged license signature tied to an undiscovered private key, leaving investigators unsure how adversaries achieved code execution.

Image
Image
Image
Critical CVSS 10 Flaw in GoAnywhere File Transfer Threatens 20,000 Systems

Overview

  • Fortra released fixes in GoAnywhere 7.8.4 and Sustain 7.6.3, shared limited indicators of compromise, and urged customers to keep the Admin Console off the public internet.
  • watchTowr reports credible evidence of exploitation beginning on September 10, eight days before Fortra’s September 18 advisory, indicating zero-day use.
  • Observed intrusions used pre-authentication remote code execution to create a backdoor admin account named “admin-go,” add a web user, and deploy payloads such as SimpleHelp and “zato_be.exe.”
  • Rapid7 says the issue is a multi-step chain involving a known access-control bypass, the unsafe deserialization (CVE-2025-10035), and a required private key (“serverkey1”) that researchers have not located.
  • Researchers estimate more than 20,000 GoAnywhere instances are internet-exposed; defenders are urged to upgrade immediately, restrict exposure, and hunt logs for strings like “SignedObject.getObject.”