Threat intelligence professionals have a sense of foreboding about a maximum-severity vulnerability Forta disclosed last week in its file-transfer service GoAnywhere MFT, as they steel themselves for active exploitation and signs of compromise.

Forta has not declared the defect actively exploited and did not answer questions to that effect from CyberScoop. Yet, researchers at watchTowr said they’ve obtained credible evidence of active exploitation of the vulnerability dating back to Sept. 10. 

The disagreement between vendor and research firm highlights a stubborn conundrum in the world of vulnerability disclosure and management. When defects turn out to be more severe  and actively exploited than vendors initially report, it creates unnecessary challenges for defenders and impacted users.

Forta did not answer questions about or respond to watchTowr’s latest findings. Forta maintains it discovered the vulnerability or its potential impact during a “security check” on Sept. 11, but it hasn’t included those details in the advisory. 

The cybersecurity vendor previously updated its security advisory for the deserialization vulnerability — CVE-2025-10035 — with details that baffled some researchers due to its lack of clarity. Forta added indicators of compromise and stack traces that, if present in customers’ log files, indicate their “instance was likely affected by this vulnerability,” the company said.

Ben Harris, founder and CEO at watchTowr, discredited some of Forta’s public statements about the vulnerability as he and his team of researchers confirmed suspicions they had about attacks linked to the vulnerability when it was first disclosed.

“What a mess,” he told CyberScoop. “All they had to do was just be honest and transparent — and instead, have turned this into scandal.”

Threat hunters’ concerns about the vulnerability were amplified when Forta updated its advisory to share specific strings for customers to monitor in their log files. 

The IOCs added to Forta’s advisory “makes us logically uneasy because it strongly suggests that attackers may already be active,” Harris said prior to confirming active exploitation. The details added to the vendor’s “Am I Impacted?” section in the advisory “implies this isn’t just a hypothetical risk,” Harris added. 

Researchers from Rapid7 and VulnCheck drew similar conclusions, noting its rare for vendors to publish IOCs for new critical vulnerabilities absent confirmed exploitation. 

“While the IOCs do not confirm exploitation in the wild, they strongly suggest the vendor believes that this vulnerability will be exploited if it has not already been,” said Stephen Fewer, senior principal researcher at Rapid7.

Private key, the missing link

Vulnerability researchers uncovered additional details about the steps attackers would have to take to achieve exploitation, including unexplained access to a specific private key.

“To successfully achieve remote-code execution, an attacker must send a signed Java object to the target GoAnywhere MFT server. The target server will use a public key to verify the signed object and, if the signature is valid, then an unsafe deserialization vulnerability can be hit, achieving arbitrary code execution,” Fewer said. 

“The missing detail is how the attacker can achieve this when the required private key is not present in the code base of GoAnywhere MFT,” he added.

This key, its whereabouts and how an attacker might gain access to it has researchers on edge, leading some to speculate the private key may have been leaked or otherwise stolen from a cloud-based GoAnywhere license server, which is designed to legitimize signed objects.

Researchers don’t have the private key and have been unable to produce a working exploit without it.

“Adversaries overall are opportunistic,” said Caitlin Condon, vice president of security research at VulnCheck. “It’s a pretty big deal for them to somehow get access to private keys.”

Cybercriminals have accessed private keys before, as evidenced earlier this month when an attacker exploited a zero-day vulnerability in Sitecore by using sample keys customers copied and pasted from the vendor’s documentation. 

A key was at the root cause of a major China-affiliated espionage attack on Microsoft Exchange Online in 2023, which exposed emails belonging to high-ranking U.S. government officials and others. Microsoft never definitively determined how the threat group it tracks as Storm-0558 acquired the key, and a federal review board later lambasted the company for “a cascade of security failures” in a scathing report about the attack and its widespread impact.

Vendor responsibility tested

Vendors are responsible for providing their customers with timely and actionable information that can protect them against attacks, including explicit acknowledgement of active exploitation, experts said. 

“This provides clarity and peace of mind for defenders looking to prioritize vulnerabilities more effectively in a challenging threat climate, rather than forcing them to speculate or rely on third-party research to answer questions that the supplier is best positioned to address,” said Caitlin Condon, vice president of security research at VulnCheck. 

“The easiest way to know whether this vulnerability, or any vulnerability, has been exploited would be for the vendor to explicitly disclose whether they’re aware of confirmed malicious activity in customer environments,” she said.

The maximum-severity score designated to CVE-2025-10035 is a revealing signal, Condon added. “It’s unusual for a vendor to assign a perfect 10 CVSS score unless they’ve validated vulnerability details and confirmed how an adversary would conduct a successful attack,” she said. 

Forta has been through this before. Its customers were previously targeted with a widely exploited zero-day vulnerability in the same file-transfer service two years ago. Fortra’s description of CVE-2025-10035 bears striking similarities to CVE-2023-0669, a defect exploited by Clop, resulting in attacks on more than 100 organizations, and at least five other ransomware groups.

Harris criticized Fortra for its reluctance to share crucial information.

“As an organization that signed CISA’s Secure By Design pledge that includes wording around transparency for in-the-wild exploitation, the situation seems rather disappointing,” he said. 

Enterprises, security professionals and defenders rely on accurate data to determine exposure and react accordingly, Harris added. 

“When transparency is missing, these same teams are left in the dark and left with inadequate information to make risk decisions,” he said. “Given the context of the solution being used, and the organizations that use this solution, we cannot understate the impact of additional dwell time for an attacker in some of these environments.”

The post Worries mount over max-severity GoAnywhere defect appeared first on CyberScoop.

Researchers warned that a maximum-severity vulnerability affecting GoAnywhere MFT bears striking similarities with a widely exploited defect in the same file-transfer service two years ago.

Fortra, the cybersecurity vendor behind the product, disclosed and released a patch for the vulnerability — CVE-2025-10035 — Thursday. The deserialization vulnerability “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” the company said in a security advisory.

File transfer services are a valuable target for attackers because they store a lot of sensitive data. If cybercriminals exploit these services, they can quickly access information from many users at once, making these services especially attractive for large-scale attacks. 

Fortra didn’t provide any evidence of active exploitation and researchers from multiple security firms said they haven’t observed exploitation but expect that to change soon. “We believe that it’s just a matter of time and are monitoring the situation closely,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.

The vulnerability, which has a CVSS rating of 10, is “virtually identical to the description for CVE-2023-0669,” a zero-day vulnerability exploited by Clop, resulting in attacks on more than 100 organizations, and at least five other ransomware groups, Caitlin Condon, vice president of security research at VulnCheck, said in a blog post. 

Clop, a highly prolific, financially motivated ransomware group, specializes in exploiting vulnerabilities in file-transfer services. The threat group achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

“By design, file transfer services process and store sensitive files,” Dewhurst said. “These are a prime target for threat actors, especially ransomware groups, which can use the exposed files as blackmail.”

Stephen Fewer, senior principal researcher at Rapid7, noted that file-transfer services are often exposed to the internet with network credentials supporting data access, storage and flow — factors that create a high-value target for attackers. 

The new defect doesn’t require authentication, and deserialization vulnerabilities are typically more reliable than other bugs, including memory-corruption errors, Fewer said.

Researchers aren’t aware of publicly available proof-of-concept exploit code, yet it could exist privately. “As always, if the vulnerability turns out to have been exploited in the wild as a zero-day — which was unclear at time of disclosure — patching alone will not eradicate adversaries from compromised systems,” Condon said.

Fortra told CyberScoop it discovered the vulnerability during a security check Sept. 11. “We identified that GoAnywhere customers with an admin console accessible over the internet could be vulnerable to unauthorized third-party exposure,” Jessica Ryan, public relations manager at Fortra, said in an email. 

“We immediately developed a patch and offered customers mitigation guidance to help resolve the issue,” she added.

The managed file-transfer service is one of three GoAnywhere products used by more than 3,000 organizations, including Fortune 500 businesses, according to Fortra.

The vendor appears three times on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, with all three defects added under a two-month period in 2023.

The post Researchers raise alarm over maximum-severity defect in GoAnywhere file-transfer service appeared first on CyberScoop.

An attacker exploited a zero-day vulnerability in Sitecore stemming from a misconfiguration of public ASP.NET machine keys that customers implemented based on the vendor’s documentation, according to researchers.

The critical zero-day defect — CVE-2025-53690 — was exploited by the attacker using exposed keys to achieve remote code execution, Mandiant Threat Defense said in a report Wednesday. The sample machine keys were included in Sitecore’s deployment guides dating back to at least 2017.

The configuration vulnerability impacts customers who used the sample key provided with deployment instructions for Sitecore Experience Platform 9.0 and earlier, Sitecore said in a security bulletin Wednesday. The vendor warned that all versions of Experience Manager, Experience Platform and Experience Commerce may be impacted if deployed in a multi-instance mode with customer-managed static machine keys.

“The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones — a move we don’t recommend,” said Ryan Dewhurst, head of proactive threat intelligence at watchTowr. “Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to remote code execution.”

Mandiant said it disrupted the attack after engaging with Sitecore, but said that effort prevented it from observing the full attack lifecycle. The incident response firm warns that many Sitecore customers used the commonly known ASP.NET machine key. 

Upon gaining access to the affected internet-exposed Sitecore instance, the attacker deployed a ViewState payload containing malware designed for internal reconnaissance, according to Mandiant. Researchers explained that ViewStates, an ASP.NET feature, are vulnerable to deserialization attacks when validation keys are absent or compromised. 

Mandiant said the unidentified attacker, whose motivations are unknown, demonstrated a deep understanding of Sitecore’s product as it progressed from initial compromise to escalate privileges and achieve lateral movement. 

Sitecore and researchers advised customers to rotate the machine key if a commonly known one was used, and hunt for evidence of ViewState deserialization attacks. Rotating keys won’t protect organizations using systems the attacker may have already intruded. 

Mandiant researchers said the attacker established footholds, deployed malware and tools to maintain persistence, conducted reconnaissance, achieved lateral movement and stole sensitive data.

“It is quite common for documentation to contain placeholder keys, such as ‘PUT_YOUR_KEY_HERE,’ or other randomly generated examples,” Dewhurst said. “It is ultimately both a failure on the user’s and Sitecore’s side. The user should know not to copy and paste public machine keys, and Sitecore should adequately warn users not to.”

The number of organizations compromised or potentially exposed to attacks remains unknown. Sitecore did not immediately respond to a request for comment.

Caitlin Condon, VP of security research at VulnCheck, said the zero-day vulnerability is an insecure configuration at its core, exacerbated by the public exposure of the sample machine key. 

“It’s entirely possible that the software supplier hadn’t meant for a sample machine key to be used indefinitely for production deployments but, as we know, software is deployed and configured in unintended ways all the time,” she said. “If there’s one takeaway from this, it’s that adversaries definitely read product docs, and they’re good at finding quirks and forgotten tricks in those docs that can be used opportunistically against popular software.”

The post Sitecore zero-day vulnerability springs up from exposed machine key appeared first on CyberScoop.

Citrix and cybersecurity researchers warn a critical, zero-day vulnerability affecting multiple versions of Citrix NetScaler products is under active exploitation. Citrix issued a security bulletin about the vulnerability — CVE-2025-7775 — and urged customers on affected versions to install upgrades Tuesday.

The memory-overflow vulnerability, which has an initial CVSS rating of 9.2, can be exploited to achieve remote-code execution or denial of service. Citrix disclosed two additional defects Tuesday, including CVE-2025-7776, another memory-overlow vulnerability affecting Citrix NetScaler ADC and its virtual private network NetScaler Gateway, and CVE-2025-8424, which affects the management interface for the products. 

Citrix products have been widely targeted in previous attack sprees. The vendor has disclosed three actively exploited zero-day vulnerabilities since mid-June, including CVE-2025-6543 and CVE-2025-5777, which threat hunters likened to “CitrixBleed,” or CVE-2023-4966, which affected the same products.

The Cybersecurity and Infrastructure Security Agency added CVE-2025-7775 to its known exploited vulnerabilities catalog Tuesday. The vendor has appeared on the agency’s list of vulnerabilities known to be exploited seven times this year, and a total of 21 times since late 2021.

Ben Harris, CEO at watchTowr said the new Citrix zero-day has already been actively exploited to deploy backdoors, facilitating total compromise. “Patching is critical, but patching alone won’t cut it,” he said in an email. “Unless organizations urgently review for signs of prior compromise and deployed backdoors, attackers will still be inside.”

While the memory-corruption vulnerability defect is severe, its impact differs from the zero-days Citrix disclosed earlier this summer, according to Harris. “Each of these vulnerabilities presents unique risks, but all share the potential for significant exploitation,” he added. 

Citrix said the vulnerability also affects older versions of NetScaler ADC and NetScaler Gateway, including versions 12.1 and 13.0, that are end of life and no longer supported with security updates. The vendor advised customers to upgrade their appliances to a newer, supported version to address the vulnerabilities. 

Scott Caveza, senior staff research engineer at Tenable, said these outdated versions of the affected products are still widely used, calling them “ticking time bombs” due to the heightened attacker interest in Citrix vulnerability exploitation. Nearly 1 in 5 NetScaler assets identified in Tenable’s telemetry data are on supported versions, he said. 

Citrix and researchers haven’t detailed the extent to which the new zero-day has been actively exploited, but researchers are concerned “It’s very likely that ransomware gangs or other advanced persistent threat groups will soon capitalize on this flaw,” Caveza said.

Less than a month after Citrix disclosed CVE-2025-5777, researchers observed more than 11.5 million attack attempts targeting thousands of sites. 

“The reality is, critical software will always attract attackers,” Harris said. 

“Some vulnerabilities are a natural part of life in complex software and are thus forgivable,” he said. “When trivial flaws repeatedly allow total compromise with little defender recourse — this veers quickly into unforgivable territory.”

The post Citrix NetScaler customers hit by third actively exploited zero-day vulnerability since June appeared first on CyberScoop.

Attackers are actively exploiting a critical zero-day vulnerability affecting on-premises Microsoft SharePoint servers, prompting industry heavyweights to sound the alarm over the weekend. 

Researchers discovered the active, ongoing attack spree Friday afternoon and warnings were issued en masse by Saturday evening. Microsoft released urgent guidance Saturday, advising on-premises SharePoint customers to turn on and properly configure Antimalware Scan Interface in SharePoint or disconnect servers from the internet until an emergency patch is available. The company released patches for two of the three versions of SharePoint affected by the defect Sunday, but has not issued a patch for SharePoint Server 2016 as of Monday morning. 

Researchers warn that attackers have already used the exploit dubbed “ToolShell” to intrude hundreds of organizations globally, including private companies and government agencies. The Cybersecurity and Infrastructure Security Agency issued an alert about active attacks and added the defect to its known exploited vulnerabilities catalog Saturday.

“This is a high-severity, high-urgency threat,” Michael Sikorski, chief technology officer and head of threat intelligence at Palo Alto Networks Unit 42, said in a statement. 

Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said hundreds of organizations across government, education and critical infrastructure have been impacted across the United States, Germany, France and Australia. “This is going global, fast,” he said, adding that initial scans for the exploit started Wednesday, and exploitation was in full swing through Thursday and Friday.

The critical remote-code execution vulnerability, CVE-2025-53770, has an initial CVSS score of 9.8 and allows attackers to intrude unauthenticated systems with full access to files, internal configurations and code execution. The defect is a variant of CVE-2025-49706, which was patched in Microsoft’s security update earlier this month. 

The new widely exploited defect “reflects a bypass around Microsoft’s original patch” for CVE-2025-49706, Dewhurst said. Microsoft confirmed attacks are targeting on-premises SharePoint server customers by exploiting vulnerabilities partially addressed in the company’s July security update.

“Attackers are bypassing identity controls, including multi-factor authentication and single sign-on, to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys,” Sikorski added. 

“The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold. If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point,” he said. “Patching alone is insufficient to fully evict the threat.”

Palo Alto Networks Unit 42 said attackers are targeting organizations worldwide by dropping malicious ASPX payloads via PowerShell and stealing SharePoint servers’ internal cryptographic machine keys to maintain persistent access. 

“The theft of the MachineKey is critical because it allows attackers persistent, unauthenticated access that can bypass future patching,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said in a LinkedIn post Saturday. “Organizations with vulnerable, public-facing SharePoint instances must urgently investigate for compromise and be prepared to rotate these keys to fully remediate the threat.”

Researchers at Eye Security said they’ve observed at least two waves of attacks as part of the mass exploitation campaign, and upon scanning more than 8,000 public-facing SharePoint servers determined the exploit is systemic. 

“Within hours, we identified more than dozens of separate servers compromised using the exact same payload at the same filepath. In each case, the attacker had planted a shell that leaked sensitive key material, enabling complete remote access,” Eye Security said in a blog post Saturday.

Attribution efforts are ongoing, but early signs point to nation-state attackers focused on persistence, Dewhurst said. “As always, when there is mass attention to a vulnerability, crime gangs and other threat actor groups will follow, which is what we’re seeing now.”

Shadowserver, which is working with Eye Security and watchTowr to notify impacted organizations, said its scans found about 9,300 SharePoint servers exposed to the internet daily.

“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action. Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations,” Chris Butera, acting executive assistant director at CISA, said in a statement. “CISA encourages all organizations with on-premise Microsoft Sharepoint servers to take immediate recommended action.”

Microsoft declined to answer questions, as its top security executives issued updates on social media throughout the weekend, noting that the company is working urgently to release patches for all impacted versions of SharePoint. The cloud-based version of SharePoint in Microsoft 365 is not impacted.

“We’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario. We spent the weekend trying to alert organizations to their exposure and, in some cases, were forced to watch them get compromised in real-time,” Dewhurst said.

“The sad reality is that we’ll see this vulnerability exploited long into the future as organizations fail to patch or as attackers return to regain access after stealing cryptographic keys, as has been seen heavily in activity this weekend,” he said.

Sikorski noted that SharePoint’s deep integration with Microsoft’s platform, which contains all the information valuable to an attacker, makes this especially concerning. “A compromise doesn’t stay contained — it opens the door to the entire network,” he said.

“An immediate, Band-Aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,” Sikorski added. “A false sense of security could result in prolonged exposure and widespread compromise.”

The post Mass attack spree hits Microsoft SharePoint zero-day defect appeared first on CyberScoop.