Fortra GoAnywhere Hit by Critical Zero-Day: Why Legacy MFT Solutions Keep Failing

The managed file transfer (MFT) world is experiencing déjà vu once again.

Security researchers at watchTowr Labs have revealed that threat actors actively exploited a critical vulnerability in Fortra GoAnywhere MFT (CVE-2025-10035) for at least a week before its public disclosure on September 18, 2025. With a perfect CVSS score of 10.0, this latest zero-day adds to an increasingly concerning pattern of attacks against legacy file transfer solutions.

For security teams still recovering from previous MFT zero day exploits (Progress MOVEit, Kiteworks/Accellion, and earlier GoAnywhere vulnerabilities) this latest news is further proof that legacy file transfer systems are a favorite target for sophisticated threat actors.

The Latest Zero-Day: Fortra GoAnywhere Under Attack

The timeline of CVE-2025-10035 tells a troubling story. Evidence indicates active exploitation began as early as September 10, 2025, with attackers leveraging the vulnerability to:

1. Achieve remote code execution through pre-authentication vulnerability
2. Create backdoor administrative accounts (notably one named "admin-go")
3. Deploy secondary payloads including remote access tools
4. Potentially exfiltrate sensitive data from compromised organizations

What makes this particularly concerning is not just the severity of the vulnerability, but the sophistication of the attack chain and the week-long window of undetected exploitation before patches became available. According to security researchers, CVE-2025-10035 isn't a single flaw, but rather a chain of vulnerabilities:

• An access control bypass that had been known since 2023
• Unsafe deserialization in the License Servlet allowing command injection
• A mysterious third component involving knowledge of private keys used for license validation

This multi-layered vulnerability demonstrates the complex attack surfaces that legacy MFT systems present, and why they continue to attract the attention of advanced persistent threat (APT) groups and ransomware operators. These legacy systems can be difficult to patch, and they require ongoing maintenance and resource-intensive monitoring to remain resilient against sophisticated threats.

The Persistent Pattern of MFT Vulnerability

This incident is far from isolated. Over the past few years, we've witnessed a consistent pattern among legacy file sharing systems:

• Progress MOVEit Transfer (2023): SQL injection affecting over 2,000 organizations
• Fortra GoAnywhere (January 2023): Previous RCE vulnerability impacting up to 1,000 organizations
• Accellion Kiteworks (2021): Zero-day attacks compromising 25+ organizations

There’s one common thread you can’t miss. Legacy architectures, complex patch management requirements, and high-value data all make these systems prime targets for determined attackers.

Reimagining Secure File Transfer for Modern Threats

The recurring security gaps in legacy file transfer solutions highlights a fundamental truth: Patches alone cannot address architectural vulnerabilities. Organizations need a different approach to protecting sensitive data.

The Data-Centric Security Advantage

Traditional security focuses on protecting infrastructure — servers, networks, perimeters. But when those defenses fail, as we've seen repeatedly, unprotected data becomes instantly vulnerable.

We're trapped in a vulnerability cycle: A critical flaw is discovered, organizations scramble to patch, attackers exploit the window of exposure, data is compromised, and then we wait for the next exploit or vulnerability to repeat the process. This cycle has played out with MOVEit, SharePoint, earlier GoAnywhere flaws, and now again with CVE-2025-10035.

Data-centric security flips this model. Instead of just securing the pipes, we also secure the data itself with protection that persists regardless of where it travels or which systems might be compromised.

How Virtru's Approach Differs

At Virtru, we've built our platform on the Trusted Data Format (TDF), which embeds security directly into data objects. This means:

• Persistent Control: Revoke access or change permissions even after files are shared
• End-to-End Encryption: Data stays protected at rest, in transit, and in use
• Audit Trails That Travel: Know who accessed what, when, wherever your data goes
• Zero Trust Architecture: Every access request is validated, no implicit trust

When systems are compromised, as happened with GoAnywhere, TDF-protected data remains encrypted and under your control. Attackers may steal files, but without authorization, those files are useless. This breaks the vulnerability cycle by ensuring that infrastructure compromises don't automatically equal data breaches.

Break Free From the Vulnerability Cycle with Virtru

For organizations tired of the endless vulnerability cycle, Virtru offers a fundamentally different approach:

Virtru Secure Share: Share files of any size with confidence, knowing protection travels with your data. Military-grade encryption, granular access controls, and the ability to revoke access anytime. Secure Share stands as an ad-hoc file sharing service that can also be integrated with your existing Google or Microsoft suites, along with a host of integrations that make file sharing quick and simple without sacrificing security.

Platform-Wide Protection: Secure email, files, and SaaS applications with consistent data-centric controls across your entire digital ecosystem.

No Infrastructure to Exploit: Our cloud-native architecture means no software patches to keep track of, and no legacy infrastructure to maintain — just secure data sharing that works, anywhere you need it.

The Fortra GoAnywhere zero-day won't be the last critical vulnerability in legacy file transfer systems. But with data-centric security from Virtru, you can step off the vulnerability hamster wheel and ensure your sensitive information stays protected — regardless of which system gets compromised next.

Ready to break free from the vulnerability cycle? Contact our team to see how Virtru can protect your most sensitive data.