All federal civilian agencies have been ordered to patch a vulnerability affecting a widely-used file transfer tool that some researchers believe is being exploited by hackers. 

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-10035 — a critical vulnerability in Fortra's GoAnywhere MFT solution — to its Known Exploited Vulnerabilities list Monday. Federal civilian agencies have until October 20 to patch it. 

The vulnerability carries a severity score of 10 out of 10 and has caused alarm among cybersecurity experts who have criticized Fortra for not saying whether it has seen the bug being exploited. 

In comments to Recorded Future News over the past week, Fortra would not confirm industry reports that CVE-2025-10035 has already been used in attacks. 

A spokesperson for the company said the issue was first discovered on September 11 when Fortra “identified that GoAnywhere customers with an Admin Console accessible over the internet could be vulnerable to unauthorized third-party exposure.”

“We immediately developed a patch and offered customers mitigation guidance to help resolve the issue,” the company said. “Customers should review configurations immediately and remove public access from the Admin Console. Our investigation is ongoing. We will provide further updates as appropriate."

In follow-up comments this week, Fortra officials said CVE-2025-10035 is “primarily relevant to organizations with a GoAnywhere admin console exposed to the internet.” 

The company added that it has continued “to provide direct updates and support” to customers.

Alongside CVE-2025-10035, CISA added multiple vulnerabilities to the KEV list on Monday, including issues affecting tools from Sudo, Libraesva and Cisco.

‘Can it wait till Christmas?’

Cybersecurity firm watchTowr published a lengthy report on CVE-2025-10035 and explained that there are indications that it is currently being exploited. 

Fortra’s advisory “is quietly hinting at real-world exploitation without explicitly saying it,” watchTowr researchers said. 

After releasing an initial advisory, watchTowr said it was given credible evidence showing the vulnerability was being actively exploited in the wild as early as September 10.

“This is not ‘just’ a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators — it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025,” said watchTowr CEO Benjamin Harris. 

Harris did not have more information on who was behind the exploitation or how many victims may be vulnerable to the bug, estimating that likely thousands of internet-facing file transfer systems are at risk. There are still big questions to be answered about how hackers are exploiting the bug, according to Harris. 

His team is still unclear on how exploitation of this vulnerability is possible “unless a few very scary scenarios have played out.”. 

“We continue to be confused as to why Fortra is not advising customers of what appears to be clear evidence of in-the-wild exploitation since at least September 10th,” Harris said. “CISA’s addition of these vulnerabilities to the exclusive [Known Exploited Vulnerabilities] list only adds to this confusion. We urge Fortra to share their viewpoint and would encourage customers to ask Fortra what they should be doing with regards to patching cycles. Is this urgent, or can it wait until Christmas?”

Other watchTowr experts noted that the vulnerability resembles CVE-2023-0669 — another GoAnywhere vulnerability that was exploited widely by multiple ransomware gangs in 2023. 

The Clop ransomware gang breached more than 130 organizations in 2023 by abusing the GoAnywhere vulnerability, stealing information from large companies like Hitachi, Rubrik, Rio Tinto, Community Health Systems and more.  

The governments of Toronto and Tasmania were affected by the incident alongside corporate giants like Proctor & Gamble, Virgin and several large banks.

Over the last five years, cybercriminal gangs have earned millions of dollars in ransoms by exploiting vulnerabilities in file transfer tools like GoAnywhere.