A fake license opened all doors. No one noticed the substitution—except for the hackers.
Eight days of silence turned into the perfect cover for a large-scale operation.
Researchers from WatchTowr Labs reported active attacks on a maximum severity vulnerability in the Fortra GoAnywhere MFT file transfer management system. The issue has been assigned the identifier CVE-2025-10035 and is a deserialization flaw in the License Servlet component, allowing for command injection without requiring authentication. Exploitation only requires a forged license response with a valid signature.
Fortra notified its customers about the flaw on September 18. However, the company itself became aware of it roughly a week earlier and did not specify how the information was received or whether they were already aware of active exploitation. Meanwhile, the WatchTowr report mentions "reliable confirmations" of attacks starting from September 10—eight days before the official advisory was published. For this reason, the researchers urged a change in risk assessment approaches, noting that threat actors often exploit vulnerabilities long before bulletins are released.
An analysis of the attack traces showed that after exploiting the vulnerability, the attackers achieved command execution on the server without authorization, created a hidden administrator account named 'admin-go', and then used it to add a web user with legitimate access rights. Through this user, additional components were uploaded and executed. Among the detected files were 'zato_be.exe' and 'jwunst.exe'. The latter is a legitimate binary for the SimpleHelp remote administration software, but in this case, it was used for persistent control over the compromised systems.
The attackers also executed the 'whoami /groups' command, saving the results to a file named 'test.txt' for exfiltration. This allowed them to determine the current user's privileges and plan their movement within the infrastructure.
At the time of publication, Fortra had not commented on WatchTowr's findings. The vendor has released patches in the current version 7.8.4, as well as in the support branch 7.6.3. Experts are strongly advised to update their systems and, as a temporary measure, restrict access to the administrative console from the internet. Additionally, the developer recommends checking logs for errors containing the string 'SignedObject.getObject', as this may indicate exploitation attempts.
Eight days of silence turned into the perfect cover for a large-scale operation.
Researchers from WatchTowr Labs reported active attacks on a maximum severity vulnerability in the Fortra GoAnywhere MFT file transfer management system. The issue has been assigned the identifier CVE-2025-10035 and is a deserialization flaw in the License Servlet component, allowing for command injection without requiring authentication. Exploitation only requires a forged license response with a valid signature.
Fortra notified its customers about the flaw on September 18. However, the company itself became aware of it roughly a week earlier and did not specify how the information was received or whether they were already aware of active exploitation. Meanwhile, the WatchTowr report mentions "reliable confirmations" of attacks starting from September 10—eight days before the official advisory was published. For this reason, the researchers urged a change in risk assessment approaches, noting that threat actors often exploit vulnerabilities long before bulletins are released.
An analysis of the attack traces showed that after exploiting the vulnerability, the attackers achieved command execution on the server without authorization, created a hidden administrator account named 'admin-go', and then used it to add a web user with legitimate access rights. Through this user, additional components were uploaded and executed. Among the detected files were 'zato_be.exe' and 'jwunst.exe'. The latter is a legitimate binary for the SimpleHelp remote administration software, but in this case, it was used for persistent control over the compromised systems.
The attackers also executed the 'whoami /groups' command, saving the results to a file named 'test.txt' for exfiltration. This allowed them to determine the current user's privileges and plan their movement within the infrastructure.
At the time of publication, Fortra had not commented on WatchTowr's findings. The vendor has released patches in the current version 7.8.4, as well as in the support branch 7.6.3. Experts are strongly advised to update their systems and, as a temporary measure, restrict access to the administrative console from the internet. Additionally, the developer recommends checking logs for errors containing the string 'SignedObject.getObject', as this may indicate exploitation attempts.
