CVE-2025-10035
📋 TL;DR
A critical deserialization vulnerability in Fortra's GoAnywhere MFT License Servlet allows attackers with forged license signatures to execute arbitrary commands through object deserialization. This affects all organizations using vulnerable versions of GoAnywhere MFT. The vulnerability enables remote code execution with the highest severity rating.
💻 Affected Systems
- Fortra GoAnywhere MFT
📦 What is this software?
Goanywhere Managed File Transfer by Fortra
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to data theft, ransomware deployment, lateral movement across the network, and complete loss of confidentiality, integrity, and availability.
Likely Case
Remote code execution allowing attackers to install malware, exfiltrate sensitive data, or establish persistent backdoors on the MFT server.
If Mitigated
Limited impact if network segmentation, strict access controls, and monitoring prevent successful exploitation or contain the damage.
🎯 Exploit Status
Exploitation requires a validly forged license response signature, but this has been confirmed in real attacks. CISA has added this to its Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.6.1
Vendor Advisory: https://www.fortra.com/security/advisories/product-security/fi-2025-012
Restart Required: Yes
Instructions:
1. Download GoAnywhere MFT version 7.6.1 from Fortra's support portal. 2. Backup your current installation and configuration. 3. Stop the GoAnywhere MFT service. 4. Apply the update following Fortra's upgrade documentation. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Network Segmentation and Access Control
allRestrict network access to GoAnywhere MFT to only trusted IP addresses and internal networks.
Disable License Servlet if Unused
allIf license management features are not required, disable the License Servlet component.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate GoAnywhere MFT from critical systems and the internet.
- Deploy application-level firewalls or WAF rules to block suspicious requests to the License Servlet endpoint.
🔍 How to Verify
Check if Vulnerable:
Check the GoAnywhere MFT version in the admin interface or via the installation directory. Versions below 7.6.1 are vulnerable.Check Version:
Check the version in the web admin interface at /admin or review the release notes in the installation directory.Verify Fix Applied:
After patching, confirm the version shows as 7.6.1 or higher in the admin interface and test license functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /goanywhere/license or similar license servlet endpoints
- Unexpected process execution or command injection patterns in system logs
- Failed license validation attempts with suspicious signatures
Network Indicators:
- Outbound connections from GoAnywhere MFT server to unknown external IPs
- Unusual traffic patterns to/from the MFT server on non-standard ports
SIEM Query:
source="goanywhere" AND (url_path="/license" OR event_description="license servlet") AND status="200"