Deserialization Vulnerability in GoAnywhere MFT's License Servlet

FI-2025-012 - Deserialization Vulnerability in GoAnywhere MFT's License Servlet

Severity
Critical
Published Date
18-Sep-2025
Updated Date
18-Sep-2025
Vulnerabilities
CVE-2025-10035
 
Notes
Description

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

 

Vulnerabilities

 
Deserialization Vulnerability in GoAnywhere MFT's License Servlet
Severity
Critical
CVE
CVE-2025-10035
CWE
CWE-77, CWE-502:Improper Neutralization of Special Elements used in a Command ('Command Injection'), Deserialization of Untrusted Data
Discovery Date
13-Sep-2025
CSSv3.1
10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products
GoAnywhere MFT
Vulnerability Notes
Remediation: Mitigation

Immediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet.

 
Remediation: Mitigation

Upgrade to a patched version (the latest release 7.8.4, or the Sustain Release 7.6.3)

 
References