Users of Fortra’s GoAnywhere MFT solution are urged to patch a critical vulnerability that could allow attackers to inject and execute arbitrary commands.
The flaw, tracked as CVE-2025-10035, is rated with the maximum severity score of 10 on the CVSS scale. It stems from an insecure deserialization condition in the License Servlet component of the application.
GoAnywhere MFT is an enterprise managed file transfer solution that allows organizations to securely exchange files between partners, employees, and internal systems using a variety of protocols. The product, as well as other MFT solutions, has been targeted by ransomware gangs in the past as a way to gain initial access to enterprise networks.
“The description and root cause of CVE-2025-10035 — a newly disclosed critical vulnerability in Fortra’s GoAnywhere MFT solution — is virtually identical to that of CVE-2023-0669, another critical issue that was widely exploited by ransomware groups in 2023, including Cl0p,” Caitlin Condon, vice president of research at security intelligence firm VulnCheck, told CSO via email. “While it’s not clear currently if CVE-2025-10035 has been exploited in the wild, it’s safe to assume ransomware and other APT groups will be highly motivated to develop exploits targeting this new vulnerability.”
The new vulnerability was patched 5 days after it was discovered on Sept. 13. Users are advised to update to GoAnywhere MFT versions 7.8.4 and 7.6.3, depending on which release they’re using.
Successful exploitation depends on attackers having the ability to access the GoAnywhere Admin Console and send a validly forged license response signature to deserialize an arbitrary actor-controlled object. Fortra advises users to not expose the Admin Console directly to the internet.
While there are currently no indications that a proof-of-concept exploit has been disclosed publicly or that attackers are already targeting this flaw, that is likely to change. When the Cl0p ransomware gang exploited CVE-2023-0669 in GoAnywhere as a zero-day in January 2023, the attackers claimed it resulted in the compromise of 130 organizations.
No Responses