Executive Summary
In early June 2025, Fortra disclosed a critical command injection vulnerability (CVE-2025-10035) in its GoAnywhere managed file transfer (MFT) solution. The flaw could be exploited by unauthenticated attackers if the management interface was exposed to the Internet, allowing remote code execution and potential takeover of affected servers. Fortra warned that active exploitation had been observed, and threat actors were leveraging the vulnerability to move laterally within compromised networks and facilitate data exfiltration. The incident affected a broad range of organizations reliant on GoAnywhere for secure file transfers, raising concerns about operational continuity and potential data exposure.
The attack underscores the ongoing risk posed by internet-exposed enterprise services and highlights the urgent need for timely patching of high-severity vulnerabilities. Increasingly, ransomware and data theft campaigns are targeting known security flaws in widely-used third-party solutions, putting supply chains and regulatory compliance at risk.
Why This Matters Now
This vulnerability is highly attractive to attackers due to its ease of exploitation and potential for significant impact. With exploitation observed in the wild and many organizations still relying on GoAnywhere for critical data transfers, immediate patching and network segmentation are essential. The incident serves as a stark reminder to secure internet-exposed services and to maintain robust vulnerability management practices.
Attack Path Analysis
Attackers exploited an exposed, vulnerable Fortra GoAnywhere instance using command injection (CVE-2025-10035) to gain initial access. They sought to elevate privileges within the compromised application to extend control. Utilizing this foothold, attackers moved laterally across east-west network paths, targeting internal workloads and possibly cloud-native services. They established command and control channels to maintain access and coordinate post-exploitation activity. Sensitive data was then exfiltrated through unmonitored egress or covert channels. The attack culminated in actions impacting availability or integrity, such as data destruction or extortion.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited a command injection flaw (CVE-2025-10035) in an internet-exposed GoAnywhere instance to execute arbitrary commands.
Related CVEs
CVE-2025-10035
CVSS 10A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an attacker with a validly forged license response signature to deserialize an arbitrary actor-controlled object, potentially leading to command injection and remote code execution.
Affected Products:
Fortra GoAnywhere MFT – <= 7.8.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Exploitation of Remote Services
Access Token Manipulation
Impair Defenses
Network Service Discovery
Unsecured Credentials
Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Access Controls and Identity Management
Control ID: 500.07
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Art. 8
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Vulnerability Assessment
Control ID: Pillar 2: Application Workload
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical vulnerability in Fortra GoAnywhere MFT systems threatens secure file transfers, potentially exposing sensitive financial data and violating PCI compliance requirements.
Health Care / Life Sciences
Command injection flaw in widely-used file transfer solutions poses severe risk to patient data security and HIPAA compliance in healthcare organizations.
Government Administration
Internet-exposed GoAnywhere systems in government agencies face high-severity exploitation risk, threatening classified data and critical infrastructure through command injection attacks.
Information Technology/IT
IT service providers using GoAnywhere for client data transfers face maximum severity vulnerability enabling remote command execution and potential supply chain attacks.
Sources
- Patch Now: Max-Severity Fortra GoAnywhere Bug Allows Command Injectionhttps://www.darkreading.com/cyberattacks-data-breaches/patch-fortra-goanywhere-bug-command-injectionVerified
- Deserialization Vulnerability in GoAnywhere MFT's License Servlethttps://www.fortra.com/security/advisories/product-security/fi-2025-012Verified
- CVE-2025-10035 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-10035Verified
- Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerabilityhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust and CNSF-aligned controls such as segmentation, inline threat detection, egress policy enforcement, and east-west traffic visibility would have limited or detected each stage of the attack, curtailing escalation, lateral spread, and data loss. Proactive microsegmentation and distributed enforcement at the cloud network layer minimize blast radius and surface area exploitable by attackers.
Control: Cloud Firewall (ACF)
Mitigation: Prevents or detects malicious inbound exploits via perimeter enforcement.
Control: Threat Detection & Anomaly Response
Mitigation: Detects suspicious privilege escalation behaviors for rapid remediation.
Control: Zero Trust Segmentation
Mitigation: Restricts unauthorized east-west movement by enforcing least privilege policies.
Control: Inline IPS (Suricata)
Mitigation: Blocks known C2 traffic and detects anomalous outbound connections.
Control: Egress Security & Policy Enforcement
Mitigation: Stops unauthorized data flows to unapproved destinations.
Real-time observability and alerting enable rapid containment of destructive actions.
Impact at a Glance
Affected Business Functions
- File Transfer Operations
- Data Exchange Processes
Estimated downtime: 5 days
Estimated loss: $5,000,000
Potential exposure of sensitive files and credentials due to unauthorized access and data exfiltration.
Recommended Actions
Key Takeaways & Next Steps
- • Eliminate unnecessary public exposure of sensitive cloud applications and enforce least-privilege access at the perimeter.
- • Deploy cloud-native firewalls and inline IPS to block exploit attempts and inspect all ingress and egress flows.
- • Implement granular Zero Trust Segmentation to prevent lateral movement between critical workloads.
- • Enforce strict egress policies and encryption on all outbound connections to detect and prevent data exfiltration.
- • Strengthen continuous threat detection and anomaly response to rapidly identify and contain privilege escalation or destructive actions.
