The Zero-Day Playbook: Fortra’s Hour-by-Hour Timeline of CVE-2025-10035 (Detection + IR Playbook)
Disclosure: This is an incident response analysis for security professionals. It contains affiliate links to relevant enterprise security solutions. Your support helps fund our independent research.
- CVE-2025-10035 is a critical deserialization flaw in Fortra GoAnywhere MFT that leads to RCE. An emergency patch is available and must be applied immediately.
- Fortra’s investigation shows the attacker timeline from initial RCE to enterprise-wide ransomware can be **under 12 hours**. The "Golden Hour" for detection is critical.
- **Action Now:** (1) Patch or isolate. (2) Hunt for signs of compromise, especially the Java process spawning `powershell.exe` or `cmd.exe`. (3) Deploy the copy-paste SOC hunt queries provided in this report.
FREE: The Golden Hour IR Checklist — PDF
Get the ready-to-run incident response checklist we use when a critical RCE like CVE-2025-10035 is detected. Includes SIEM playbooks, containment steps, and notification templates.
Get the Checklist (Email required)Incident Facts — Verified Sources
- **Vendor Advisory (Fortra):** Fortra published an advisory and post-mortem on CVE-2025-10035.
- **NVD Entry:** CVE-2025-10035 is recorded with a CVSS score of 9.8 (Critical).
- **Industry Coverage:** Widespread exploitation confirmed by Microsoft, CISA, and others.
Part 1: The Executive Briefing — The 12-Hour Path from Zero-Day to Ransomware
The Fortra post-mortem report provides a chilling, minute-by-minute look into the attacker's playbook for exploiting the GoAnywhere MFT zero-day. The most critical finding for every CISO is the incredible speed of the attack: threat actors were able to progress from initial exploitation to full, enterprise-wide ransomware deployment in **less than 12 hours**. This timeline is a strategic mandate, proving that a human-speed SOC is no longer a viable defense.
Part 2: Defender's Playbook — Mapping Detections to the Kill Chain (Copy-Paste Ready)
Objective: detect exploitation in the first 60 minutes and contain within the Golden Hour.
High-priority detections (implement immediately)
- Search for log string: `SignedObject.getObject` in application and admin audit logs.
- Process parent→child anomaly: `java.exe` spawning `cmd.exe` or `powershell.exe` (monitor via EDR).
- File writes in web app directories: new `.jsp` files in GoAnywhere paths.
- Outbound beaconing: spikes of outbound connections from the MFT server.
SOC HUNT KIT
Sigma Rule:
title: Suspicious Java Spawning Shell (GoAnywhere Exploit)
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects java.exe launching cmd.exe/powershell.exe, indicating possible post-exploitation activity from a compromised GoAnywhere MFT server.
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\java.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
condition: selection
level: critical
tags:
- attack.execution
- attack.t1059
Splunk Query:
(index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1) AND (ParentImage="*\\java.exe" AND (Image="*\\cmd.exe" OR Image="*\\powershell.exe"))
| table _time, host, ParentImage, Image, CommandLine
Elastic EQL Query:
process where event.type == "start" and process.parent.name : "java.exe" and
process.name : ("cmd.exe", "powershell.exe")
Recommended Security Stack
Kaspersky XDR
Enterprise detection & rollback for fileless and deserialization attacks.
Protect with KasperskyManaged XDR (Recommended)
Automated correlation to contain within the Golden Hour.
Contact CyberDudeBivash IRFAQ — GoAnywhere MFT Incident
What is CVE-2025-10035? It is a critical deserialization vulnerability in Fortra's GoAnywhere MFT that may allow remote command injection. Immediate patching is recommended.
How quickly can attackers escalate to ransomware? Vendor timelines show incidents escalated to ransomware within 6–12 hours of initial compromise.
What immediate steps should I take? Patch GoAnywhere, search logs for 'SignedObject.getObject', and detect anomalous java→powershell or java→cmd executions.