Fortra has recently confirmed that a significant vulnerability in its GoAnywhere Managed File Transfer (MFT) service, identified as CVE-2025-10035, has been actively exploited. This admission marks a critical moment for the vendor, as investigators and cybersecurity experts are still probing the methods by which attackers may have acquired a private key necessary for this exploitation.
In a statement regarding the vulnerability, Fortra stated, "At this time, we have a limited number of reports of unauthorized activity related to CVE-2025-10035." This was echoed by Ben Harris, founder and CEO of watchTowr, who commented on the situation, saying, "It is positive to see Fortra increase their transparency surrounding the CVE-2025-10035 saga." However, he noted the lingering uncertainty, adding, "the mystery remains — watchTowr researchers and others are still unclear how this vulnerability could be exploited without access to a private key that only Fortra is believed to have access to."
" This was echoed by Ben Harris, founder and CEO of watchTowr, who commented on the situation, saying, "
Concerns regarding the private key were raised last month when researchers from watchTowr, Rapid7, and VulnCheck independently verified the necessary steps for exploitation, leading to questions that Fortra has yet to fully address. "The fact that Fortra has now opted to confirm ‘unauthorized activity related to CVE-2025-10035,’ confirms yet again that the vulnerability was not theoretical," Harris stated. "The attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability."
"The fact that Fortra has now opted to confirm ‘unauthorized activity related to CVE-2025-10035,’ confirms yet again that the vulnerability was not theoretical,"
Impact and Legacy
Impact and Legacy
Impact and Legacy
The extent of the breach has expanded over the last month as both Fortra and external researchers continue to investigate instances of exploitation. Following reports of suspicious activity from a customer on September 11, Fortra initiated an internal review and acted swiftly to notify potentially impacted clients and alert law enforcement.
According to the company, it uncovered three incidents linked to potentially suspicious activity in its cloud-based GoAnywhere MFT environment. Fortra responded by isolating these instances for further investigation and informing users of its managed services about possible exposure. They deployed a patch to their cloud services on September 17, yet have not elaborated on the scale of exploitation in on-premises environments or where their services were hosted.
"Fortra updated all company-hosted instances of GoAnywhere MFT, including infrastructure rebuilds," a spokesperson noted. However, they did not respond to specific inquiries from CyberScoop regarding the existing level of exploitation.
"Fortra updated all company-hosted instances of GoAnywhere MFT, including infrastructure rebuilds,"
The implications of CVE-2025-10035 have not gone unnoticed by government entities. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its known exploited vulnerabilities catalog on September 29, indicating its involvement in ransomware activities. Remarkably, Microsoft Threat Intelligence reported that a cybercriminal group referred to as Storm-1175 has leveraged CVE-2025-10035 as part of large-scale, multi-stage attacks, including ransomware.
Following these revelations, Fortra has remained cautious, repeatedly refraining from confirming its awareness of active exploitation following reports from various cybersecurity researchers. Although the company has added indicators of compromise to its security advisory, the acknowledgment of unauthorized activity faced a delay until Thursday’s announcement.
As the cybersecurity landscape continues evolving, the need for transparency and communication from providers like Fortra becomes increasingly evident. The rate at which these vulnerabilities are being utilized by cybercriminals poses considerable risks not only to businesses but also to personal data security worldwide.
The ongoing investigation into CVE-2025-10035 highlights the challenges faced by cybersecurity firms as they strive to navigate threats and bolster defenses. The outcome of these endeavors will determine not just the integrity of Fortra’s services but also the confidence clients place in their cybersecurity measures moving forward.