CVE-2025-10035 – Critical unauthenticated RCE in GoAnywhere MFT


On September 18, 2025, Fortra published an advisory for CVE-2025-10035. This new vulnerability affects GoAnywhere MFT, an enterprise managed file transfer solution, and allows an attacker to achieve unauthenticated remote code execution. GoAnywhere MFT is a file transfer solution that has been exploited in-the-wild in the past.

In 2023, CVE-2023-0669 was exploited in-the-wild as a zero-day, and that vulnerability is known to have been used by ransomware groups. Currently there is no known public exploit code available for the new vulnerability, CVE-2025-10035, and the vendor has not reported CVE-2025-10035 as having been exploited in-the-wild. However, given the nature and history of this product, this new vulnerability should be treated as a significant threat.

Read more…
Source: Rapid7


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Microsoft patches 34 vulnerabilities, including one zero-day

    December 13, 2023

    December’s Patch Tuesday is a relatively quiet one on the Microsoft front. Redmond has patched 34 vulnerabilities with only four rated as critical. One vulnerability, a previously disclosed unpatched vulnerability in AMD central processing units (CPUs), was shifted by AMD to software developers. Read more… Source: Malwarebytes labs  

  • Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally

    December 13, 2023

    The US Federal Bureau of Investigation (FBI) and partners assess Russian Foreign Intelligence Service (SVR) cyber actors – also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard – are exploiting CVE-2023-42793 a at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023. Software developers use TeamCity software ...

  • The sound of you typing on your keyboard could reveal your password

    December 12, 2023

    As if password authentication’s coffin needed any more nails, researchers in the UK have discovered yet another way to hammer one in. The technique, developed at Durham University, the University of Surrey, and Royal Holloway University of London, builds on previous work to produce a more accurate way to guess your password by listening to ...

  • Insights into your unpatched vulnerabilities

    December 11, 2023

    In the 100 most prevalent unpatched vulnerabilities, the majority (93 out of the 100) are found in software by Adobe, Zoom, and Mozilla. No vulnerability listed as critical made it into the top 100 most prevalent vulnerabilities. But one critical vulnerability was close: CVE-2020-9633 in Adobe Flash Player. The vulnerable version of Flash is still in ...

  • Analyzing AsyncRAT’s code injection into aspnet_compiler.exe across multiple incident response cases

    December 11, 2023

    During their recent investigations, the Trend Micro Managed XDR (MxDR) team handled various cases involving AsyncRAT, a Remote Access Tool (RAT) with multiple capabilities,  such as keylogging and remote desktop control, that make it a substantial threat to victims. This blog entry delves into MxDR’s unraveling of the AsyncRAT infection chain across multiple cases, shedding light ...

  • Android phones can be taken over remotely – update when you can

    December 7, 2023

    Takeover a device remotely without the device owner needing to do anything. Updates for these vulnerabilities and more are included in Google’s Android security bulletin for December. In total, there are patches for 94 vulnerabilities, including five rated as “Critical.” The most severe of these flaws is a vulnerability in the System component that could lead ...