Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035) labs.watchtowr.com/is-this-b…

Welcome back to another watchTowr Labs analysis. This time, we are dissecting CVE-2025-10035, a perfect CVSS 10.0 vulnerability in Fortra’s GoAnywhere MFT.

[…]

Could this vulnerability already be in active use? Could someone have access to a signed malicious object ready to be sprayed across the Internet or delivered with precision to a single target? Could that be happening right now? One thing is certain: no vendor assigns a CVSS 10 to a purely theoretical bug. We’d advise against leaving GoAnywhere unpatched below 7.8.4 (or Sustain Release 7.6.3).

Edward Kiledjian @ekiledjian