Security researchers have confirmed that threat actors have exploited the maximum-severity vulnerability affecting Fortra's GoAnywhere managed file transfer (MFT), and chastised the vendor for a lack of transparency.

The experts over at watchTowr, never ones to mince their words, described the revelation as "an increasingly disappointing situation," criticizing Fortra for not sharing enough details about the exploitation status of CVE-2025-10035.

The Register reported on the vulnerability last week after Fortra disclosed it on September 18. In our story, we noted that Fortra did not confirm whether it was actively being exploited under its "Am I Impacted?" section.

"Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet," it said at

See Full Page