Código HTML do Conteúdo

Post: Hackers exploit Fortra GoAnywhere flaw before public alert

<div> <div> <h2>Hackers exploit Fortra GoAnywhere flaw before public alert</h2> <h2>watchTowr Labs says hackers exploited the Fortra GoAnywhere MFT flaw CVE-2025-10035 on Sept 10, 2025, a week before public disclosure.</h2> <p>Cybersecurity firm watchTowr Labs revealed that it has &lsquo;credible evidence&rsquo; that the critical Fortra GoAnywhere MFT flaw <a href="https://securityaffairs.com/182351/security/fortra-addressed-a-maximum-severity-flaw-in-goanywhere-mft-software.html" target="_blank">CVE-2025-10035</a> was actively exploited in attacks in the wild as early as September 10, 2025, a week before it was publicly disclosed.</p> <p>Fortra GoAnywhere Managed File Transfer is a comprehensive solution for secure file transfer, data encryption, and compliance management. It provides a centralized platform for managing and automating file transfers between disparate systems and applications, enabling secure and controlled data movement across an organization&rsquo;s network.</p> <p>On September 18, Fortra <a href="https://securityaffairs.com/182351/security/fortra-addressed-a-maximum-severity-flaw-in-goanywhere-mft-software.html" target="_blank">addressed</a> a critical vulnerability, tracked as CVE-2025-10035 (CVSS score of 10.0) in GoAnywhere Managed File Transfer (MFT) software.</p> <p>The flaw is a deserialization vulnerability in the License Servlet of Fortra&rsquo;s GoAnywhere MFT. An attacker could exploit the vulnerability to execution of arbitrary commands on the affected systems.</p> <p><em>&ldquo;A deserialization vulnerability in the License Servlet of Fortra&rsquo;s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.&rdquo;<a href="https://www.fortra.com/security/advisories/product-security/fi-2025-012" target="_blank">reads the advisory</a>.</em></p> <p>The company urges customers to upgrade to a patched version (the latest release 7.8.4, or the Sustain Release 7.6.3).</p> <p>To mitigate the vulnerability, Fortra recommends restricting public access to the GoAnywhere Admin Console, as exploitation depends on internet exposure.</p> <p><em>&ldquo;We have been given credible evidence of in-the-wild exploitation of Fortra GoAnywhere CVE-2025-10035 dating back to September 10, 2025. That is eight days before Fortra&rsquo;s public advisory,&rdquo;<a href="https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/" rel="noreferrer noopener" target="_blank">watchTower notes</a>. &ldquo;That is eight days before Fortra&rsquo;s public advisory, published September 18, 2025. This explains why Fortra later decided to publish limited IOCs, and we&rsquo;re now urging defenders to immediately change how they think about timelines and risk. An individual sent us evidence of exploitation activity that aligns with the stack traces shown in Fortra&rsquo;s advisory.&rdquo;</em></p> <p>watchTowr found over 20,000 internet-facing GoAnywhere MFT instances, including Fortune 500. Cybersecurity firm Rapid7 also states that the flaw involves a chain of three bugs, it is a not simple deserialization issue.</p> <p><em>&ldquo;The following analysis details our current understanding of the vulnerability, and finds that the issue, as described by the vendor,<strong>is not just a single deserialization vulnerability, but rather a chain of three separate issues</strong>. This includes an access control bypass that has been known since 2023, the unsafe deserialization vulnerability CVE-2025-10035, and an as-yet unknown issue pertaining to how the attackers can know a specific private key.&rdquo; <a href="https://attackerkb.com/topics/LbA9ANjcdz/cve-2025-10035/rapid7-analysis" target="_blank">states Rapid7</a>. &ldquo;As of September 24, 2025, there is no known exploit code publicly available, and the vendor has not indicated the vulnerability as having been exploited in-the-wild, although the vendor advisory has been updated to include IOCs, which is unusual for a vulnerability that has not been exploited in-the-wild.&rdquo;</em></p> <p>Follow me on Twitter:<a href="https://twitter.com/securityaffairs" target="_blank">@securityaffairs</a>and<a href="https://www.facebook.com/sec.affairs" target="_blank">Facebook</a>and<a href="https://infosec.exchange/@securityaffairs" target="_blank">Mastodon</a></p> <p><a href="http://www.linkedin.com/pub/pierluigi-paganini/b/742/559" target="_blank">PierluigiPaganini</a></p> <p>(<a href="http://securityaffairs.co/wordpress/" target="_blank">SecurityAffairs</a>&ndash;hacking, Fortra)</p> <hr> <hr> </div></div>