Cybercity company Watchtower Labs has revealed that it has “reliable evidence” of recently disclosed security defects, which was publicly disclosed in the Filera Gony’s File Transfer (MFT) software in early September 10, 2025, a week ago.
The founder of Benjamin Harris, CEO and Watchtower told about hacker news, “This is ‘only’ a CVSS 10.0 defects, which for a long time is a solution in the favored solution by APT groups and ransomware operators – it is a vulnerability that has been actively exploited in wild since September 10, 2025.
The vulnerability in the question is the CVE-2025-10035, which is described as a deserialization vulnerability in the license serve, resulting in command injection without authentication. Fortra Goanywear version 7.8.4, or Sustain release 7.6.3, was released by Fortra last week to overcome the problem.
According to an analysis issued by the Watchtower earlier this week, it is possible to get vulgarity with the fact that it is possible to get a prepared HTTP “in response to the request sent earlier using embedded guid” GoanyWhere/LIC/ACCEPT/<गाइड>,
Armed with this authentication bypass, an inadequate deserialization in the license services for results in an attacker command injection can take advantage of protection. He said, how it really happens, there is something about a mystery, researchers noted by Sunny McDonald and Piyot Bzdlo.
Cyber security vendor Rapid 7, which also released its findings in the CVE-2025-10035, said that it is not a single deserialization vulnerability, but a series of three different issues-
- An access control bypass that is known from 2023
- Unsecured deserialization vulnerability cve-2025-10035, and
- One as yet an unknown issue that the attacker can learn a specific private key
In a report published on Thursday, the Watchtower said that it found evidence of exploitation efforts, including a stack trace that enables the construction of a backdoor account. The sequence of activity is as follows –
- Tiger of pre-proclamation vulnerability in Fortra GoanyWhere MFT to achieve remote code execution (RCE)
- Using RCE to create a Goanywhere user called “Admin-Go”
- Using newly created accounts to create web users
- Taking advantage of a web user to interact and upload and upload and upload and execute extra payloads, including simplehil and an unknown implants (“zato_be.exe”)
Cyber security company also said that threatening actor activity IP address was generated from 155.2.190[.]197, which, according to Grewstall, Fortinet Fortigate SSL has been flagged off to operate cruel-force attacks targeting SSL VPN equipment.
Given the signs of in-wide exploitation, it is necessary that users proceed quickly to apply the fix if not in advance. The hacker news has reached Fortra for the news comment, and we will update the story if we listen back.
