Fortra is urging GoAnywhere Managed File Transfer (MFT) users to immediately upgrade to version 7.8.4 or v7.6.3 after disclosing a deserialization flaw (CVE-2025-10035) that could enable command injection through a forged license response. Security firm watchTowr raised concerns that the company may have delayed acknowledging active exploitation, noting evidence of attacks as early as September 10, eight days before Fortra issued its September 18 advisory.

Further analysis by watchTowr and Rapid7 found that the issue extends beyond a single vulnerability. Researchers say the exploit chain involves an access control bypass flaw first identified in 2023, the unsafe deserialization bug itself, and an unresolved issue that gave attackers access to a private key used to forge license signatures. Together, these weaknesses enabled attackers to bypass protections and gain remote code execution on vulnerable instances.

Attackers reportedly used the flaw to create a backdoor admin account called admin-go, which was then leveraged to set up additional users, upload malicious implants, and deploy remote support software. Security experts are urging all GoAnywhere customers to review their systems for compromise indicators and upgrade immediately, stressing that even users who find no evidence of intrusion should patch without delay.