The managed file transfer (MFT) world is experiencing déjà vu once again.
Security researchers at watchTowr Labs have revealed that threat actors actively exploited a critical vulnerability in Fortra GoAnywhere MFT (CVE-2025-10035) for at least a week before its public disclosure on September 18, 2025. With a perfect CVSS score of 10.0, this latest zero-day adds to an increasingly concerning pattern of attacks against legacy file transfer solutions.
For security teams still recovering from previous MFT zero day exploits (Progress MOVEit, Kiteworks/Accellion, and earlier GoAnywhere vulnerabilities) this latest news is further proof that legacy file transfer systems are a favorite target for sophisticated threat actors.
The timeline of CVE-2025-10035 tells a troubling story. Evidence indicates active exploitation began as early as September 10, 2025, with attackers leveraging the vulnerability to:
What makes this particularly concerning is not just the severity of the vulnerability, but the sophistication of the attack chain and the week-long window of undetected exploitation before patches became available. According to security researchers, CVE-2025-10035 isn't a single flaw, but rather a chain of vulnerabilities:
This multi-layered vulnerability demonstrates the complex attack surfaces that legacy MFT systems present, and why they continue to attract the attention of advanced persistent threat (APT) groups and ransomware operators. These legacy systems can be difficult to patch, and they require ongoing maintenance and resource-intensive monitoring to remain resilient against sophisticated threats.
This incident is far from isolated. Over the past few years, we've witnessed a consistent pattern among legacy file sharing systems:
There’s one common thread you can’t miss. Legacy architectures, complex patch management requirements, and high-value data all make these systems prime targets for determined attackers.
The recurring security gaps in legacy file transfer solutions highlights a fundamental truth: Patches alone cannot address architectural vulnerabilities. Organizations need a different approach to protecting sensitive data.
Traditional security focuses on protecting infrastructure — servers, networks, perimeters. But when those defenses fail, as we've seen repeatedly, unprotected data becomes instantly vulnerable.
We're trapped in a vulnerability cycle: A critical flaw is discovered, organizations scramble to patch, attackers exploit the window of exposure, data is compromised, and then we wait for the next exploit or vulnerability to repeat the process. This cycle has played out with MOVEit, SharePoint, earlier GoAnywhere flaws, and now again with CVE-2025-10035.
Data-centric security flips this model. Instead of just securing the pipes, we also secure the data itself with protection that persists regardless of where it travels or which systems might be compromised.
At Virtru, we've built our platform on the Trusted Data Format (TDF), which embeds security directly into data objects. This means:
When systems are compromised, as happened with GoAnywhere, TDF-protected data remains encrypted and under your control. Attackers may steal files, but without authorization, those files are useless. This breaks the vulnerability cycle by ensuring that infrastructure compromises don't automatically equal data breaches.
For organizations tired of the endless vulnerability cycle, Virtru offers a fundamentally different approach:
Virtru Secure Share: Share files of any size with confidence, knowing protection travels with your data. Military-grade encryption, granular access controls, and the ability to revoke access anytime. Secure Share stands as an ad-hoc file sharing service that can also be integrated with your existing Google or Microsoft suites, along with a host of integrations that make file sharing quick and simple without sacrificing security.
Platform-Wide Protection: Secure email, files, and SaaS applications with consistent data-centric controls across your entire digital ecosystem.
No Infrastructure to Exploit: Our cloud-native architecture means no software patches to keep track of, and no legacy infrastructure to maintain — just secure data sharing that works, anywhere you need it.
The Fortra GoAnywhere zero-day won't be the last critical vulnerability in legacy file transfer systems. But with data-centric security from Virtru, you can step off the vulnerability hamster wheel and ensure your sensitive information stays protected — regardless of which system gets compromised next.
Ready to break free from the vulnerability cycle? Contact our team to see how Virtru can protect your most sensitive data.