A critical security vulnerability has been identified in Fortra’s GoAnywhere Managed File Transfer (MFT) platform, posing significant risks to enterprises worldwide. This flaw, designated as CVE-2025-10035, resides in the License Servlet component and allows unauthenticated attackers to execute arbitrary commands remotely, potentially leading to full system compromise.
Understanding the Vulnerability (CVE-2025-10035)
The core issue lies in the License Servlet’s improper handling of serialized data within license responses. Specifically, the servlet deserializes data without validating object types, resulting in a classic case of CWE-502: Deserialization of Untrusted Data. This vulnerability is further compounded by CWE-77: Command Injection, enabling remote code execution with the following characteristics:
– Attack Vector: Network (AV:N)
– Attack Complexity: Low (AC:L)
– Privileges Required: None (PR:N)
– User Interaction: None (UI:N)
– Scope Impact: High (S:C)
– Confidentiality Impact: High (C:H)
– Integrity Impact: High (I:H)
– Availability Impact: High (A:H)
These factors culminate in a CVSS v3.1 score of 10.0, underscoring the critical nature of this vulnerability.
Technical Exploitation Details
An attacker can craft a malicious license response that passes signature verification, allowing them to inject commands via the deserialized object’s methods. For instance, a serialized payload referencing `java.lang.Runtime.exec()` could be constructed to execute arbitrary shell commands on the server hosting the GoAnywhere Admin Console. This exploitation method provides attackers with the capability to execute commands remotely without authentication, leading to potential data breaches, system disruptions, and further malicious activities within the compromised network.
Risk Factors and Impact
The primary risk factors associated with this vulnerability include:
– Affected Products: GoAnywhere MFT
– Impact: Remote Code Execution (RCE)
– Exploit Prerequisites: Ability to deliver a forged license response signature
– CVSS 3.1 Score: 10.0 (Critical)
Successful exploitation can result in unauthorized access to sensitive data, disruption of business operations, and potential propagation of attacks to other systems within the network.
Mitigation Strategies
To mitigate the immediate risks posed by CVE-2025-10035, Fortra recommends the following actions:
1. Restrict Admin Console Access: Implement firewall rules or network Access Control Lists (ACLs) to ensure that the GoAnywhere Admin Console is not publicly accessible over the internet. Access should be limited to trusted IP addresses only.
2. Upgrade to Patched Release: Permanent remediation requires upgrading GoAnywhere MFT to a patched release. Affected customers must update to version 7.8.4 or, if on the Sustain Release branch, version 7.6.3. These updates include validation routines in the License Servlet to enforce class whitelisting and signature checks, effectively eliminating unsafe deserialization.
Broader Context and Historical Precedents
This vulnerability is not an isolated incident. Similar deserialization flaws have been exploited in the past, leading to significant security breaches. For instance, in early 2023, a zero-day vulnerability (CVE-2023-0669) in GoAnywhere MFT was actively exploited by the Clop ransomware group, affecting over 130 organizations. The attackers leveraged a pre-authentication command injection flaw to gain unauthorized access and exfiltrate sensitive data, leading to substantial financial and reputational damage for the affected entities.
Recommendations for Security Teams
Given the critical nature of CVE-2025-10035 and its potential for exploitation, security teams are urged to prioritize the following actions:
– Immediate Patch Application: Apply the latest patches provided by Fortra without delay to remediate the vulnerability.
– Access Controls Review: Ensure that the GoAnywhere Admin Console is not exposed to the internet and is accessible only from trusted networks or IP addresses.
– Monitor for Indicators of Compromise (IoCs): Implement monitoring mechanisms to detect any signs of exploitation, such as unusual network traffic patterns, unexpected creation of administrative accounts, or unauthorized data access.
– Incident Response Preparedness: Develop and test incident response plans to ensure swift action can be taken in the event of a security breach.
Conclusion
The discovery of CVE-2025-10035 in Fortra’s GoAnywhere MFT platform highlights the ongoing challenges in securing enterprise file transfer solutions. Organizations must remain vigilant, promptly apply security patches, and implement robust access controls to protect against such critical vulnerabilities. Proactive measures and continuous monitoring are essential to safeguard sensitive data and maintain the integrity of enterprise systems.
