The CVE-2025-10035 vulnerability in Fortra’s GoAnywhere MFT a critical file transfer tool was added to CISA’s Known Exploited Vulnerabilities (KEV) list with a CVSS score of 10/10. Evidence suggests active exploitation since at least September 10, 2025, though Fortra has not confirmed this publicly. The flaw allows unauthorized third-party access to systems with an internet-exposed Admin Console, risking data breaches, ransomware deployment, or APT (Advanced Persistent Threat) intrusions. Historical context links this to CVE-2023-0669, a prior GoAnywhere vulnerability exploited by the Clop ransomware gang, which breached 130+ organizations (including Hitachi, Rubrik, Rio Tinto, and government entities like Toronto and Tasmania). If exploited similarly, CVE-2025-10035 could enable mass data theft, financial fraud, or operational disruptions across thousands of vulnerable systems. While Fortra released a patch, delayed action by organizations (e.g., failing to remove public Admin Console access) increases the risk of large-scale attacks, potentially leading to regulatory penalties, reputational damage, and financial losses if customer or employee data is compromised.
Source: https://therecord.media/cisa-orders-federal-gov-patch-fortra-bug
TPRM report: https://www.rankiteo.com/company/fortra
"id": "for2492024093025",
"linkid": "fortra",
"type": "Vulnerability",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Thousands (estimated '
'internet-facing systems at '
'risk)',
'industry': 'Cybersecurity / File Transfer Solutions',
'name': 'Fortra (GoAnywhere MFT)',
'type': 'Private Company'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'Federal Civilian Agencies (USA)',
'type': 'Government'}],
'attack_vector': ['Network-Based Exploitation',
'Internet-Exposed Admin Console'],
'customer_advisories': ['Patch Immediately',
'Remove Public Admin Console Access'],
'data_breach': {'data_exfiltration': ['Potential (Unconfirmed)']},
'date_detected': '2025-09-11',
'date_publicly_disclosed': '2025-09-16',
'description': 'A critical vulnerability (CVE-2025-10035, CVSS 10.0) in '
"Fortra's GoAnywhere MFT file transfer tool has been added to "
"CISA's Known Exploited Vulnerabilities (KEV) list. Federal "
'civilian agencies have been ordered to patch it by October '
'20, 2025. The vulnerability, discovered on September 11, '
'2025, affects organizations with internet-exposed Admin '
'Consoles. Cybersecurity firm watchTowr reported evidence of '
'active exploitation since at least September 10, 2025, though '
'Fortra has not confirmed this. The flaw resembles '
'CVE-2023-0669, which was widely exploited by ransomware gangs '
'like Clop in 2023, impacting over 130 organizations, '
'including Hitachi, Rubrik, and government entities.',
'impact': {'brand_reputation_impact': ['Potential Reputation Damage Due to '
'Exploitation Reports'],
'operational_impact': ['Potential Unauthorized Access',
'Data Exfiltration Risk',
'Ransomware Risk'],
'systems_affected': ['GoAnywhere MFT Admin Consoles '
'(Internet-Exposed)']},
'initial_access_broker': {'entry_point': 'Internet-Exposed GoAnywhere Admin '
'Console'},
'investigation_status': 'Ongoing (Fortra and watchTowr)',
'post_incident_analysis': {'root_causes': ['Internet-Exposed Admin Interface',
'Lack of Timely Patch Deployment '
'(Historical Context)']},
'ransomware': {'ransomware_strain': ['Potential Clop (Historical Precedent '
'with CVE-2023-0669)']},
'recommendations': ['Immediately patch CVE-2025-10035 before October 20, 2025',
'Remove public internet access from GoAnywhere Admin '
'Console',
'Review and harden configurations',
'Monitor for signs of exploitation (e.g., unauthorized '
'access)',
'Assume active exploitation and prioritize remediation'],
'references': [{'date_accessed': '2025-09-16',
'source': 'CISA Known Exploited Vulnerabilities Catalog'},
{'date_accessed': '2025-09-16',
'source': 'Recorded Future News'},
{'date_accessed': '2025-09-16',
'source': 'watchTowr Research Report on CVE-2025-10035'},
{'date_accessed': '2025-09-11',
'source': 'Fortra Advisory on GoAnywhere MFT Vulnerability'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV Listing '
'(Mandatory Patching '
'for Federal '
'Agencies)']},
'response': {'communication_strategy': ['Customer Advisories',
'Ongoing Investigation Updates'],
'containment_measures': ['Patch Deployment',
'Mitigation Guidance for Customers',
'Removing Public Access from Admin '
'Console'],
'incident_response_plan_activated': True,
'remediation_measures': ['Urgent Patching by October 20, 2025 '
'(CISA Directive)'],
'third_party_assistance': ['watchTowr (Investigation)',
'CISA (Advisory)']},
'stakeholder_advisories': ['CISA Directive for Federal Agencies',
'Fortra Customer Guidance'],
'title': "Critical Vulnerability in Fortra's GoAnywhere MFT (CVE-2025-10035) "
'Exploited in the Wild',
'type': ['Vulnerability Exploitation',
'Potential Data Breach',
'Unauthorized Access'],
'vulnerability_exploited': 'CVE-2025-10035 (Critical, CVSS 10.0) in Fortra '
'GoAnywhere MFT'}