Fortra may have disclosed ongoing attacks involving the maximum severity issue in its GoAnywhere MFT software, tracked as CVE-2025-10035, but cybersecurity researchers have noted a lack of information regarding the compromise of a private key essential for the exploitation of the flaw, according to CyberScoop

Despite detailing customer log reviews, vulnerability-related activity discovery, and widespread GoAnywhere MFT remediation efforts following an initial report of suspicious activity on Sept. 11, Fortra has not shed light on the extent of the flaw's exploitation.

"The fact that Fortra has now opted to confirm 'unauthorized activity related to CVE-2025-10035,' confirms yet again that the vulnerability was not theoretical, and that the attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability," said watchTowr founder and CEO Ben Harris.