Fortra Warns of Max Severity Flaw in GoAnywhere MFT's License Servlet Summary:
Summary:
Fortra recently issued security updates to address a maximum severity vulnerability in GoAnywhere MFT’s License Servlet. Tracked as CVE-2025-10035, the vulnerability pertains to a deserialization of untrusted data weakness and can be exploited in low-complexity attacks. “A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” states the vendor in its advisory.
Security Officer Comments:
GoAnywhere MFT is a popular managed file transfer solution that organizations use to securely transfer files. File transfer solutions are attractive targets for threat actors, given that these tools are used to transfer sensitive data. In the past, ransomware actors like Cl0p have leveraged vulnerabilities in GoAnywhere MFT software to exfiltrate data from hundreds of organizations across the globe. While Fortra did not mention whether CVE-2025-10035 is being exploited in attacks in the wild, successful exploitation attempts could garner similar outcomes.
Suggested Corrections:
CVE-2025-10035 has been addressed in GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 - administrators are advised to apply the updates as soon as possible. According to Fortra, the exploitation of CVE-2025-10035 is highly dependent upon systems being externally exposed to the internet. As such, if patching is not currently feasible, administrators should ensure the Admin GoAnywhere Admin Console is not open to the public.
Link(s):
https://www.bleepingcomputer.com/ne...rity-flaw-in-goanywhere-mfts-license-servlet/
Fortra recently issued security updates to address a maximum severity vulnerability in GoAnywhere MFT’s License Servlet. Tracked as CVE-2025-10035, the vulnerability pertains to a deserialization of untrusted data weakness and can be exploited in low-complexity attacks. “A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” states the vendor in its advisory.
Security Officer Comments:
GoAnywhere MFT is a popular managed file transfer solution that organizations use to securely transfer files. File transfer solutions are attractive targets for threat actors, given that these tools are used to transfer sensitive data. In the past, ransomware actors like Cl0p have leveraged vulnerabilities in GoAnywhere MFT software to exfiltrate data from hundreds of organizations across the globe. While Fortra did not mention whether CVE-2025-10035 is being exploited in attacks in the wild, successful exploitation attempts could garner similar outcomes.
Suggested Corrections:
CVE-2025-10035 has been addressed in GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 - administrators are advised to apply the updates as soon as possible. According to Fortra, the exploitation of CVE-2025-10035 is highly dependent upon systems being externally exposed to the internet. As such, if patching is not currently feasible, administrators should ensure the Admin GoAnywhere Admin Console is not open to the public.
Link(s):
https://www.bleepingcomputer.com/ne...rity-flaw-in-goanywhere-mfts-license-servlet/