Organizations relying on secure file transfers are facing new security concerns with the discovery of a major vulnerability in GoAnywhere MFT, a managed file-transfer service from Fortra. As businesses increasingly depend on automated systems to handle sensitive data flows, the risks associated with cybersecurity flaws are growing. Experts urge proactive defense, emphasizing the lessons learned from earlier incidents tied to similar services such as MOVEit, which saw global impacts. Many firms, including those from the Fortune 500, rely on GoAnywhere, heightening the stakes for a timely and coordinated response.
When the MOVEit Transfer vulnerability was disclosed in 2023, mass exploitation resulted in serious data breaches across thousands of organizations. The sheer scale of the MOVEit event demonstrated the attractiveness of file transfer services as a target to cybercriminals. While that incident led to swift adoption of upgrades and training by many customers, some organizations did not apply patches quickly enough, leading to prolonged exposure. With the new GoAnywhere MFT weakness bearing technical likeness to earlier exploited flaws, risk analysts are closely monitoring to see if prior lessons translate to faster mitigation this time.
How Does the GoAnywhere MFT Vulnerability Work?
The newly identified flaw, tracked as CVE-2025-10035, allows an attacker who forges a valid license response signature to gain the ability to execute unauthorized commands on the system. This vulnerability affects GoAnywhere MFT’s deserialization process, potentially opening avenues for command injection. Notably, the defect does not require authentication, making it particularly accessible for unauthorized actors if an admin console is exposed online.
Have There Been Any Exploits So Far?
Security firms monitoring the threat landscape report no public evidence of exploitation at this time, but concern remains high due to previous patterns. Historical attacks, particularly those involving the Clop ransomware group, have capitalized on similar vulnerabilities in file-transfer software such as CVE-2023-0669. Industry observers predict it is a matter of time before malicious actors attempt to exploit GoAnywhere MFT, especially given the high CVSS score and the lack of an authentication requirement.
How Are Companies Responding to the Discovery?
Fortra, the developer behind GoAnywhere, discovered the flaw during a regular security review on September 11 and responded with the release of a patch and customer mitigation guidance.
“We identified that GoAnywhere customers with an admin console accessible over the internet could be vulnerable to unauthorized third-party exposure,”
explained Jessica Ryan, public relations manager at Fortra. Customers were swiftly notified with recommendations designed to limit risk and assist in resolving the issue.
“We immediately developed a patch and offered customers mitigation guidance to help resolve the issue,”
added Ryan, underscoring the urgency of the company’s response.
Threats to managed file-transfer products such as GoAnywhere MFT have become increasingly frequent, with multiple vulnerabilities from Fortra listed in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog within a short span. The recurrence of similar flaws highlights persistent security challenges within the sector. For organizations, the swift patching of critical systems and reviewing external exposure remain essential steps in reducing the threat surface. Security researchers remind system administrators that even the best patch management programs cannot be fully effective if vulnerabilities are exploited covertly before detection, and that compromised systems may require further investigation and remediation beyond patching.
