Vulnerability Management, Patch/Configuration Management, DevSecOps

Fortra GoAnywhere MFT bug actively exploited days before patch released

Binary code on screen with red glowing "BUG" text, symbolizing software malfunction, coding error, or system glitch. Ideal for tech content, debugging, and cybersecurity topics.

A 10.0 deserialization flaw in Fortra’s GoAnywhere managed file transfer (MFT) software has been actively exploited since Sept. 10, eight days before Fortra released patches.

In a Sept. 25 blog post, watchTower Labs said that security teams face a simple reality: “This leaves security teams scrambling to assess risk and decide whether to assume continued exposure, or to treat this as a prompt for a full incident response and forensic review.”

MacKenzie Brown, vice president of the Advisory Pursuit Group at Blackpoint Cyber, said if left unpatched, an attacker can gain remote code execution capabilities, control the affected system, and given this is another managed file transfer solution like MOVEit Transfer, any successful compromise could lead to data exfiltration.

Brown said these 10.0 flaws are easy to exploit, so even low-end threat actors can exploit the bug.

“Adding to the criticality of this type of vulnerability is the extensive historical targeting by threat actors — most notably the Clop ransomware operation, which has a long history of exploiting managed file transfer software, with GoAnywhere MFT previously serving as one of its most high-profile initial access points in a large-scale extortion campaign,” said Brown. “These platforms are especially attractive to threat actors because they often handle highly sensitive business data, provide direct access to large volumes of files, and are widely deployed across various industries.”

Jason Soroko, senior fellow at Sectigo, said because MFT platforms broker file flows for partners and back-end systems and often hold secrets and connectors, the blast radius includes data theft across workflows and lateral movement into internal networks.

“Organizations should assume exposed GoAnywhere instances may already be targeted,” said Soroko. “Patch immediately or take the service offline until remediation is complete and restrict internet exposure afterward.”

Other advice to security teams from Soroko:

  • Rotate all credentials and tokens used by or stored in the product, including service accounts partner keys database passwords and certificates and reissue where needed.
  • If indicators are present, rebuild from a trusted image rather than cleaning in place and add short term reverse proxy or WAF rules to block the license endpoints while you harden access controls and monitoring.
  • Continue to watch for new indicators; coordinate with vendors and notify partners if file transfer workflows may have been exposed.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds