Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure

The Hacker News by The Hacker News
September 26, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Sep 26, 2025Ravie LakshmananVulnerability / Threat Intelligence

Cybersecurity company watchTowr Labs has disclosed that it has “credible evidence” of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed.

“This is not ‘just’ a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators – it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025,” Benjamin Harris, CEO and Founder of watchTowr, told The Hacker News.

The vulnerability in question is CVE-2025-10035, which has been described as a deserialization vulnerability in the License Servlet that could result in command injection without authentication. Fortra GoAnywhere version 7.8.4, or the Sustain Release 7.6.3, was released by Fortra last week to remediate the problem.

DFIR Retainer Services

According to an analysis released by watchTowr earlier this week, the vulnerability has to do with the fact that it’s possible to send a crafted HTTP GET request to the “/goanywhere/license/Unlicensed.xhtml/” endpoint to directly interact with the License Servlet (“com.linoma.ga.ui.admin.servlet.LicenseResponseServlet”) that’s exposed at “/goanywhere/lic/accept/<GUID>” using the GUID embedded in the response to the earlier sent request.

Armed with this authentication bypass, an attacker can take advantage of inadequate deserialization protections in the License Servlet to result in command injection. That said, exactly how this occurs is something of a mystery, researchers Sonny Macdonald and Piotr Bazydlo noted.

Cybersecurity vendor Rapid7, which also released its findings into CVE-2025-10035, said it’s not a single deserialization vulnerability, but rather a chain of three separate issues –

  • An access control bypass that has been known since 2023
  • The unsafe deserialization vulnerability CVE-2025-10035, and
  • An as-yet unknown issue pertaining to how the attackers can know a specific private key

In a subsequent report published Thursday, watchTowr said it received evidence of exploitation efforts, including a stack trace that enables the creation of a backdoor account. The sequence of the activity is as follows –

  • Triggering the pre-authentication vulnerability in Fortra GoAnywhere MFT to achieve remote code execution (RCE)
  • Using the RCE to create a GoAnywhere user named “admin-go”
  • Using the newly created account to create a web user
  • Leveraging the web user to interact with the solution and upload and execute additional payloads, including SimpleHelp and an unknown implant (“zato_be.exe”)
CIS Build Kits

The cybersecurity company also said the threat actor activity originated from the IP address 155.2.190[.]197, which, according to VirusTotal, has been flagged for conducting brute-force attacks targeting Fortinet FortiGate SSL VPN appliances.

Given signs of in-the-wild exploitation, it’s imperative that users move quickly to apply the fixes, if not already. The Hacker News has reached out to Fortra for comment, and we will update the story if we hear back.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
12 Press Releases You Need to See This Week

12 Press Releases You Need to See This Week

Recommended.

Fractus et Verizon règlent leur litige en matière de brevets

Fractus et Verizon règlent leur litige en matière de brevets

March 25, 2026
Paessler GmbH Appoints Jason Teichman as CEO to Drive Next Phase of Growth and Innovation

Paessler GmbH Appoints Jason Teichman as CEO to Drive Next Phase of Growth and Innovation

September 30, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio