Threat intelligence professionals have a sense of foreboding about a maximum-severity vulnerability Forta disclosed last week in its file-transfer service GoAnywhere MFT, as they steel themselves for active exploitation and signs of compromise.
Forta has not declared the defect actively exploited and did not answer questions to that effect from CyberScoop. Yet, researchers at watchTowr said they’ve obtained credible evidence of active exploitation of the vulnerability dating back to Sept. 10.
The disagreement between vendor and research firm highlights a stubborn conundrum in the world of vulnerability disclosure and management. When defects turn out to be more severe and actively exploited than vendors initially report, it creates unnecessary challenges for defenders and impacted users.
Forta did not answer questions about or respond to watchTowr’s latest findings. Forta maintains it discovered the vulnerability or its potential impact during a “security check” on Sept. 11, but it hasn’t included those details in the advisory.
The cybersecurity vendor previously updated its security advisory for the deserialization vulnerability — CVE-2025-10035 — with details that baffled some researchers due to its lack of clarity. Forta added indicators of compromise and stack traces that, if present in customers’ log files, indicate their “instance was likely affected by this vulnerability,” the company said.
Ben Harris, founder and CEO at watchTowr, discredited some of Forta’s public statements about the vulnerability as he and his team of researchers confirmed suspicions they had about attacks linked to the vulnerability when it was first disclosed.
“What a mess,” he told CyberScoop. “All they had to do was just be honest and transparent — and instead, have turned this into scandal.”
Threat hunters’ concerns about the vulnerability were amplified when Forta updated its advisory to share specific strings for customers to monitor in their log files.
The IOCs added to Forta’s advisory “makes us logically uneasy because it strongly suggests that attackers may already be active,” Harris said prior to confirming active exploitation. The details added to the vendor’s “Am I Impacted?” section in the advisory “implies this isn’t just a hypothetical risk,” Harris added.
Researchers from Rapid7 and VulnCheck drew similar conclusions, noting its rare for vendors to publish IOCs for new critical vulnerabilities absent confirmed exploitation.
“While the IOCs do not confirm exploitation in the wild, they strongly suggest the vendor believes that this vulnerability will be exploited if it has not already been,” said Stephen Fewer, senior principal researcher at Rapid7.
Private key, the missing link
Vulnerability researchers uncovered additional details about the steps attackers would have to take to achieve exploitation, including unexplained access to a specific private key.
“To successfully achieve remote-code execution, an attacker must send a signed Java object to the target GoAnywhere MFT server. The target server will use a public key to verify the signed object and, if the signature is valid, then an unsafe deserialization vulnerability can be hit, achieving arbitrary code execution,” Fewer said.
“The missing detail is how the attacker can achieve this when the required private key is not present in the code base of GoAnywhere MFT,” he added.
This key, its whereabouts and how an attacker might gain access to it has researchers on edge, leading some to speculate the private key may have been leaked or otherwise stolen from a cloud-based GoAnywhere license server, which is designed to legitimize signed objects.
Researchers don’t have the private key and have been unable to produce a working exploit without it.
“Adversaries overall are opportunistic,” said Caitlin Condon, vice president of security research at VulnCheck. “It’s a pretty big deal for them to somehow get access to private keys.”
Cybercriminals have accessed private keys before, as evidenced earlier this month when an attacker exploited a zero-day vulnerability in Sitecore by using sample keys customers copied and pasted from the vendor’s documentation.
A key was at the root cause of a major China-affiliated espionage attack on Microsoft Exchange Online in 2023, which exposed emails belonging to high-ranking U.S. government officials and others. Microsoft never definitively determined how the threat group it tracks as Storm-0558 acquired the key, and a federal review board later lambasted the company for “a cascade of security failures” in a scathing report about the attack and its widespread impact.
Vendor responsibility tested
Vendors are responsible for providing their customers with timely and actionable information that can protect them against attacks, including explicit acknowledgement of active exploitation, experts said.
“This provides clarity and peace of mind for defenders looking to prioritize vulnerabilities more effectively in a challenging threat climate, rather than forcing them to speculate or rely on third-party research to answer questions that the supplier is best positioned to address,” said Caitlin Condon, vice president of security research at VulnCheck.
“The easiest way to know whether this vulnerability, or any vulnerability, has been exploited would be for the vendor to explicitly disclose whether they’re aware of confirmed malicious activity in customer environments,” she said.
The maximum-severity score designated to CVE-2025-10035 is a revealing signal, Condon added. “It’s unusual for a vendor to assign a perfect 10 CVSS score unless they’ve validated vulnerability details and confirmed how an adversary would conduct a successful attack,” she said.
Forta has been through this before. Its customers were previously targeted with a widely exploited zero-day vulnerability in the same file-transfer service two years ago. Fortra’s description of CVE-2025-10035 bears striking similarities to CVE-2023-0669, a defect exploited by Clop, resulting in attacks on more than 100 organizations, and at least five other ransomware groups.
Harris criticized Fortra for its reluctance to share crucial information.
“As an organization that signed CISA’s Secure By Design pledge that includes wording around transparency for in-the-wild exploitation, the situation seems rather disappointing,” he said.
Enterprises, security professionals and defenders rely on accurate data to determine exposure and react accordingly, Harris added.
“When transparency is missing, these same teams are left in the dark and left with inadequate information to make risk decisions,” he said. “Given the context of the solution being used, and the organizations that use this solution, we cannot understate the impact of additional dwell time for an attacker in some of these environments.”
The post Worries mount over max-severity GoAnywhere defect appeared first on CyberScoop.
Forta, the vendor behind the file-transfer service software, has yet to report exploitation or address evidence of compromise. Independent researchers say otherwise.
The post Worries mount over max-severity GoAnywhere defect appeared first on CyberScoop. Read MoreCyberScoop
