CVE Alert: CVE-2025-10035 - Fortra - GoAnywhere MFT

CVE-2025-10035

CRITICALExploitation active

A deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

CVSS v3.1 (10)

AV NETWORK · AC LOW · PR NONE · UI NONE · S CHANGED

Vendor

Fortra

Product

GoAnywhere MFT

Versions

0 lte 7.8.3

CWE

CWE-77, CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Published

2025-09-18T22:01:51.337Z

Updated

2025-09-27T03:55:22.542Z

References

https://www.fortra.com/security/advisories/product-security/fi-2025-012

AI Summary Analysis

Risk verdict

Critical risk with active exploitation; urgent patching and containment required.

Why this matters

The deserialization flaw enables remote command execution from the License Servlet with no user interaction and no privileges, potentially allowing full compromise of the GoAnywhere MFT host. If the admin console or license validation is internet-exposed, an attacker could run arbitrary code, exfiltrate data, or pivot to adjacent systems.

Most likely attack path

External attacker targets a publicly reachable GoAnywhere MFT instance over the network; forged license responses are accepted, triggering deserialization of attacker-controlled objects. This yields remote code execution with changed scope, enabling rapid control of the server and potential lateral movement to connected assets.

Who is most exposed

Environments where the Admin Console or license validation endpoints are internet-facing (cloud deployments, DMZ segments, or poorly restricted VPNs) are highest risk; enterprises running GoAnywhere MFT in exposed configurations are most vulnerable.

Detection ideas

Anomalous license validation or deserialization errors in License Servlet logs.
Signatures or patterns consistent with forged license responses attempting deserialization.
Unusual command executions or process spawning from the GoAnywhere host.
Spikes in external admin console access or failed authentication events from unknown IPs.
Unexpected outbound connections from the appliance post-authentication.

Mitigation and prioritisation

Patch immediately to 7.8.4 or Sustain Release 7.6.3; verify integrity before upgrade.
Eliminate public exposure: restrict Admin Console to trusted networks or VPN, enable MFA, and apply IP allowlists.
Implement network segmentation and strong access controls around license validation services.
Monitor license servlet activity and deploy enhanced logging + alerting for deserialization/command-execution indicators.
Plan and test outage-free upgrade during a maintenance window; ensure backups are current.
If KEV true or EPSS ≥ 0.5, treat as priority 1. If not, maintain immediate high-priority remediation.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-10035, fortra, goanywhere-mft, OSINT, threatintel