From Detection to Patch: Fortra Reveals Full Timeline of CVE-2025-10035 Exploitation

Steven

From Detection to Patch: Fortra Reveals Full Timeline of CVE-2025-10035 Exploitation

Summary

Fortra disclosed the results of its investigation into CVE-2025-10035, a critical deserialization vulnerability in the GoAnywhere Managed File Transfer (MFT) License Servlet that can allow command injection without authentication under certain cryptographic conditions. Fortra began investigating on 11 September 2025 after a customer reported a potential issue, contacted on-premises customers whose admin consoles were internet-exposed, and notified law enforcement the same day. A hotfix was released the next day, with full patched releases (including versions 7.6.3 and 7.8.4) published on 15 September and the CVE assigned three days later.

Fortra says the risk is limited to customers with an admin console exposed to the public internet, but it has confirmed a small number of reports of unauthorised activity. Microsoft reported that a threat tracked as Storm-1175 has been exploiting the flaw since 11 September to deploy Medusa ransomware. It remains unclear how attackers obtained the private keys or otherwise satisfied the cryptographic requirements needed to exploit the bug.

Key Points

  • Fortra began investigating suspected exploitation of CVE-2025-10035 on 11 September 2025 after a customer report.
  • A hotfix was issued the following day; full patched releases (7.6.3 and 7.8.4) were available on 15 September.
  • The vulnerability is a deserialization flaw in the License Servlet that can enable command injection without authentication if cryptographic requirements are bypassed.
  • Active exploitation is documented: Microsoft links Storm-1175 to attacks that deployed Medusa ransomware starting 11 September.
  • Fortra states the exposure is limited to admin consoles accessible from the public internet; other GoAnywhere web components are not affected.
  • There are a limited number of confirmed reports of unauthorised activity tied to this CVE; the method used to obtain private keys remains unclear.
  • Recommended mitigations: restrict internet access to admin consoles, enable monitoring, and apply patches promptly.

Context and Relevance

This disclosure matters because it documents a quick detection-to-patch timeline for a widely used MFT product and confirms real-world exploitation by a ransomware-linked actor. Organisations running GoAnywhere with admin consoles exposed to the internet are at heightened risk and should treat this as an urgent configuration and patching priority. The incident also highlights a broader trend: attackers increasingly find ways to circumvent cryptographic or access controls to weaponise server-side flaws, reinforcing the need for strong exposure management, rapid patching, and telemetry focused on admin interfaces.

Why should I read this?

Short version: if you run GoAnywhere or manage MFT systems, this is one of those ‘drop everything and check’ stories. Fortra confirmed active exploitation, there are ransomware links, and the fix was released fast — so patch, lock down admin consoles and check your logs. If you don’t run GoAnywhere, it’s still a handy reminder to stop leaving admin panels on the public internet and to chase down any emergency patches pronto.

Source

Source: https://thehackernews.com/2025/10/from-detection-to-patch-fortra-reveals.html