If you’re running Fortra’s GoAnywhere managed file transfer solution and you haven’t updated to the latest available version for a while, do so now or risk getting your instance compromised via CVE-2025-10035.
About CVE-2025-10035
CVE-2025-10035 is a critical deserialization vulnerability in the License servlet of Fortra’s GoAnywhere MFT managed file transfer solution, which is widely used by organizations of all sizes.
The solution can be deployed on-premises, in the cloud, and in hybrid environments.
According to Fortra, the flaw “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.”
While there’s currently no evidence that it has been or is being exploited by attackers, CVE-2025-10035 has a maximum severity CVSS score, denoting that it’s exploitable remotely over a network, without authentication and user interaction, could lead to full system compromise (and possible lateral movement), and the explot is straightforward.
But, there is a catch: the vulnerability can only be exploited by attackers who have access to the GoAnywhere administrative console of a vulnerable installation.
In early 2023, plenty of those consoles were accessible via the internet and the Cl0p ransomware gang took advantage of those and a zero-day vulnerability (CVE-2023-0669) in the same servlet to exfiltrate data of 130+ victim organizations.
The incident hopefully spurred many an organization to make sure that the admin console is not publicly accessible from the internet. (It should be accessible only from within a private company network, through VPN, or from trusted IP addresses.)
What to do?
Fortra disclosed the vulnerability late last Thursday and has urged customers to either upgrade to a patched version (v7.8.4 or Sustain Release v7.6.3) or to ensure that access to the GoAnywhere Admin Console is not open to the public (or both).
The company has also advised them to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject.
“If this string is present in an exception stack trace, then the instance was likely affected by this vulnerability,” Fortra noted.
“In general, it’s also advisable to implement egress filtering and alert on large file uploads, high-volume traffic to suspicious IPs or domains, and data transfer and archive utility usage,” VulnCheck’s VP or research Caitlin Condon added.
“As always, if the vulnerability turns out to have been exploited in the wild as a zero-day — which was unclear at time of disclosure — patching alone will not eradicate adversaries from compromised systems.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
.){kind=link}