CVE Alert: CVE-2025-10035 – Fortra – GoAnywhere MFT
CVE-2025-10035
A deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
AI Summary Analysis
Risk verdict
Critical risk with active exploitation; urgent patching and containment required.
Why this matters
The deserialization flaw enables remote command execution from the License Servlet with no user interaction and no privileges, potentially allowing full compromise of the GoAnywhere MFT host. If the admin console or license validation is internet-exposed, an attacker could run arbitrary code, exfiltrate data, or pivot to adjacent systems.
Most likely attack path
External attacker targets a publicly reachable GoAnywhere MFT instance over the network; forged license responses are accepted, triggering deserialization of attacker-controlled objects. This yields remote code execution with changed scope, enabling rapid control of the server and potential lateral movement to connected assets.
Who is most exposed
Environments where the Admin Console or license validation endpoints are internet-facing (cloud deployments, DMZ segments, or poorly restricted VPNs) are highest risk; enterprises running GoAnywhere MFT in exposed configurations are most vulnerable.
Detection ideas
- Anomalous license validation or deserialization errors in License Servlet logs.
- Signatures or patterns consistent with forged license responses attempting deserialization.
- Unusual command executions or process spawning from the GoAnywhere host.
- Spikes in external admin console access or failed authentication events from unknown IPs.
- Unexpected outbound connections from the appliance post-authentication.
Mitigation and prioritisation
- Patch immediately to 7.8.4 or Sustain Release 7.6.3; verify integrity before upgrade.
- Eliminate public exposure: restrict Admin Console to trusted networks or VPN, enable MFA, and apply IP allowlists.
- Implement network segmentation and strong access controls around license validation services.
- Monitor license servlet activity and deploy enhanced logging + alerting for deserialization/command-execution indicators.
- Plan and test outage-free upgrade during a maintenance window; ensure backups are current.
- If KEV true or EPSS ≥ 0.5, treat as priority 1. If not, maintain immediate high-priority remediation.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
