Organizations using GoAnywhere MFT from Fortra are facing increased scrutiny as recent admissions confirm attackers have actively exploited a critical vulnerability, CVE-2025-10035. This revelation comes after a surge in concern from cybersecurity researchers, who question how threat actors managed to acquire a private cryptographic key necessary for exploitation. In response, Fortra has released new details about the incident, outlining investigative steps and their timeline for handling the situation. Stakeholders now seek transparency regarding both the technical exploitation and Fortra’s communication with its customer base amid ongoing investigations. The company continues to withhold some specifics, fueling ongoing debate within the cybersecurity community and raising questions about broader organizational preparedness against sophisticated exploits.
GoAnywhere MFT has previously experienced security incidents, but prior reports predominantly involved less severe vulnerabilities or attacks that did not require access to sensitive cryptographic materials. Previous public communications from Fortra tended to acknowledge possible risks without confirming direct unauthorized access. Researchers have noted this latest case is distinct because it involves both active exploitation and a mystery surrounding the acquisition of a private key. Additionally, wide-scale concern has grown as ransomware groups reportedly target this flaw, a scale of threat not seen in earlier vulnerabilities associated with GoAnywhere. When compared to past incidents, the speed and level of public pressure on Fortra to provide clear answers has noticeably increased, marking a shift in both vendor and community expectations.
How Have Attackers Exploited GoAnywhere MFT?
Cybersecurity professionals from firms such as watchTowr, Rapid7, and VulnCheck recently verified the technical steps needed to leverage the CVE-2025-10035 vulnerability, confirming the involvement of a private key believed to be unique to Fortra’s systems. Despite the company’s assurance that affected reports are currently limited, the unexplained exposure of sensitive cryptographic material continues to raise alarm. Investigation remains focused on how attackers were able to fulfill these cryptographic requirements and whether additional undetected attacks have occurred. Ben Harris, founder and CEO at watchTowr, noted,
“the mystery remains — watchTowr researchers and others are still unclear how this vulnerability could be exploited without access to a private key that only Fortra is believed to have access to.”
What Has Fortra Done to Address the Vulnerability?
Fortra reported that initial suspicions about the vulnerability surfaced following a customer’s alert on September 11. The company began notifying potentially affected clients the same day and involved law enforcement to aid the investigation. According to Fortra, several cloud-based instances exhibited suspicious behavior, which were then isolated for further examination. Action steps included deploying patches to cloud-hosted environments by September 17 and undertaking infrastructure updates to address the threat. However, details about exploitation in customer-managed, on-premises environments remain undisclosed, impacting the overall risk assessment.
How Broad Is the Impact of This Security Breach?
Subsequent analysis from cybersecurity agencies and independent researchers has painted an evolving picture of the breach’s scope. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-10035 to its catalog of exploited vulnerabilities, citing its use in ransomware campaigns. Microsoft Threat Intelligence subsequently highlighted attacks by the cybercriminal group Storm-1175, which utilized this flaw as part of complex, multi-stage attacks. While Fortra continued to release advisories and indicators of compromise, officials did not confirm reports of unauthorized access until releasing their latest summary. A company spokesperson stated,
“At this time, we have a limited number of reports of unauthorized activity related to CVE-2025-10035.”
Fortra’s evolving response to this exploit reflects both the difficulties companies encounter during a security crisis and the expectations for transparency in modern cybersecurity incidents. Historically, critical vulnerabilities in managed file transfer software can expose sensitive business data and disrupt operations, raising the stakes for affected organizations. Users and IT teams are advised to promptly apply security updates, follow threat intelligence advisories, and review configurations for anomalous activity in managed file transfer environments. As investigations progress, clarifying the origin of the compromised cryptographic key remains crucial for restoring trust. Advising open communication and technical vigilance within organizations may help mitigate the risk of future misuse. Monitoring updates from both vendors and security researchers is recommended for timely risk management and response planning.
