On September 19, 2025, Fortra disclosed a critical security vulnerability in its GoAnywhere Managed File Transfer (MFT) software, identified as CVE-2025-10035. This flaw has been assigned a maximum severity rating with a CVSS score of 10.0, indicating its potential for significant impact.
The vulnerability arises from a deserialization issue within the License Servlet component of GoAnywhere MFT. Specifically, an attacker who can craft a validly signed license response is able to deserialize arbitrary objects, potentially leading to command injection and unauthorized command execution on the affected system. Fortra emphasized that the risk is particularly acute for systems that are publicly accessible over the internet.
To mitigate this security risk, Fortra has released patched versions of the software: version 7.8.4 and the Sustain Release 7.6.3. Users are strongly advised to upgrade to these versions promptly to protect their systems from potential exploitation. In situations where immediate patching is not feasible, it is recommended to restrict public access to the GoAnywhere Admin Console to reduce exposure.
While Fortra has not reported any instances of this vulnerability being exploited in the wild, it is important to note that previous vulnerabilities in GoAnywhere MFT have been targeted by malicious actors. For example, CVE-2023-0669, with a CVSS score of 7.2, was exploited as a zero-day vulnerability by ransomware groups to exfiltrate sensitive data. Additionally, in early 2024, Fortra addressed another critical vulnerability, CVE-2024-0204, which had a CVSS score of 9.8 and could have been used to create unauthorized administrator accounts.
Security experts have raised concerns about the potential for rapid exploitation of this new vulnerability. Ryan Dewhurst, head of proactive threat intelligence at watchTowr, highlighted that the flaw affects the same license code path in the Admin Console as the previously exploited CVE-2023-0669. Given the widespread internet exposure of GoAnywhere MFT instances, Dewhurst warned that this issue is likely to be weaponized soon. He urged organizations to apply the official patches immediately and to restrict external access to the Admin Console to mitigate the risk.
In summary, the discovery of CVE-2025-10035 underscores the critical importance of timely software updates and vigilant security practices. Organizations utilizing GoAnywhere MFT should prioritize applying the latest patches and review their system configurations to ensure that administrative interfaces are not publicly accessible. By taking these proactive steps, organizations can significantly reduce their vulnerability to potential cyber threats.
