- CVE-2025-10035 in GoanyWhere MFT allows critical command injection via License Servlet
- Utilization began before publication; Watchtowr found credible evidence
- Users called for patching or isolating systems; Previous deficiencies led to larger CL0P -Ransomware -violations
Goany Where MFT, a popular managed file transfer solution, bears a vulnerability with the maximum severity that is currently being exploited in nature after security researchers Watchtowr Labs claim to have found “credible evidence”.
Fortra (the company behind Goanywhere) recently announced a new security advice that called on customers to patch the CVE-2025-10035.
This is a essialization vulnerability in the License Servette that allows threat actors to run command injection attacks. In other words, it is a gap in the licensing control system that can let the attacker fool goanywhere to run their code.
Credible evidence
Vulnerability got a maximum difficulty – 10/10, which means it is absolutely critical that users patch it. Apart from that, the counseling did not say much about potential attackers or current goals.
However, Watchtowr’s scientists did it: “We have received credible evidence of utilization of the wild of Fortra Goanywhere-2025-10035, dating back to September 10, 2025,” the researchers said in their writing.
“It is eight days before Falca’s public counseling, published on September 18, 2025. This explains why Fortra later decided to publish limited IOCs, and we are now calling on defenders to immediately change how they think about timelines and risk.”
The best way to protect against the attacks is to upgrade to a patched version, either the latest release (7.8.4) or Sustain Release 7.6.3.
Those who cannot patch up at this point can remove Goanywhere from the public Internet through the admin console, and those who suspect they may have been targeted should inspect logs for errors containing the string ‘Signedobject.getObject’.
At the beginning of 2023, threat actors utilized a mistake in Goanywhere MFT to steal data from dozens of organizations around the world. The Ransomware Group CL0P assumed responsibility, leaked sensitive files and demanded payment and made it one of the year’s most harmful offenses of supply chain.
Via Bleeping computer
