CVE-2025-10035 – Critical unauthenticated RCE in GoAnywhere MFT


On September 18, 2025, Fortra published an advisory for CVE-2025-10035. This new vulnerability affects GoAnywhere MFT, an enterprise managed file transfer solution, and allows an attacker to achieve unauthenticated remote code execution. GoAnywhere MFT is a file transfer solution that has been exploited in-the-wild in the past.

In 2023, CVE-2023-0669 was exploited in-the-wild as a zero-day, and that vulnerability is known to have been used by ransomware groups. Currently there is no known public exploit code available for the new vulnerability, CVE-2025-10035, and the vendor has not reported CVE-2025-10035 as having been exploited in-the-wild. However, given the nature and history of this product, this new vulnerability should be treated as a significant threat.

Read more…
Source: Rapid7


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect

    March 21, 2024

    During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, Mandiant researchers observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed ...

  • Patch Ivanti Standalone Sentry and Ivanti Neurons for ITSM now

    March 21, 2024

    Ivanti has issued patches for two vulnerabilities. One was discovered in the Ivanti Standalone Sentry, which impacts all supported versions 9.17.0, 9.18.0, and 9.19.0. Older versions are also at risk. The other vulnerability impacts all supported versions of Ivanti Neurons for ITSM—2023.3, 2023.2 and 2023.1, as well as unsupported versions which will need an upgrade before ...

  • Ethereum’s Create2: A Double-Edged Sword In Blockchain Security

    March 18, 2024

    Ethereum’s CREATE2 function is being exploited by attackers to compromise the security of digital wallets, bypassing traditional security measures and facilitating unauthorized access to funds. The attack method involves tricking users into approving transactions for smart contracts that haven’t been deployed yet, allowing cybercriminals to later deploy malicious contracts and steal cryptocurrencies. This vulnerability highlights the ...

  • A patched Windows attack surface is still exploitable

    March 14, 2024

    On August 8, 2023, Microsoft finally released a kernel patch for a class of vulnerabilities affecting Microsoft Windows since 2015. The vulnerabilities lead to elevation of privilege (EoP), which allows an account with user rights to gain SYSTEM privileges on a vulnerable host. The root cause of this attack surface, according to a 2015 blog, is ...

  • A bug in an Irish government website exposed COVID-19 vaccination records

    March 14, 2024

    Two years ago, the Irish government fixed a vulnerability in its national COVID-19 vaccination portal that exposed the vaccination records of around a million residents. But details of the vulnerability weren’t revealed until this week after attempts to coordinate public disclosure with the government agency stalled and ended. Security researcher Aaron Costello said he discovered the ...

  • CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign

    March 13, 2024

    The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led ...