Introduction
On September 18, 2025, Fortra dropped urgent security advisories for users of their flagship GoAnywhere Managed File Transfer (MFT) platform—a staple in secure file movement across many Fortune 1000 organizations. They revealed CVE-2025-10035, a deserialization flaw in the product’s License Servlet, scoring a critical CVSS perfect 10.0—the highest possible mark and an immediate call to action for every security team and technical owner.
What Is CVE-2025-10035?
This vulnerability allows attackers with a forged license response signature to pass actor-controlled objects to GoAnywhere’s License Servlet. Unsafe deserialization occurs, opening the door for remote command injection and operating system-level code execution—potentially without any need to log in or bypass further authentication controls.The exploit chain is reminiscent of the infamous CVE-2023-0669, previously abused by Cl0p and other advanced threat actors as a zero-day.
Who Is At Risk?
Any organization running vulnerable versions of GoAnywhere MFT (prior to 7.8.4 or 7.6.3) that exposes its Admin Console to the internet is at extremely high risk. Public-facing instances put crown jewels in the crosshairs of ransomware groups, initial access brokers, and opportunistic attackers alike.
Technical Deep Dive
CVE-2025-10035 focuses on how the License Servlet processes serialized data. By crafting a fake but valid license response signature, attackers can send malicious payloads, which the vulnerable servlet will unserialize and execute. This enables arbitrary OS commands, data theft, lateral movement and possible ransomware deployment, leaving no room for delay or indifference.
- No exploit code is publicly confirmed, but immediate patching is universally recommended in light of GoAnywhere’s attack history.
What You Must Do (Right Now)
The only safe version is GoAnywhere 7.8.4 (Main) or 7.6.3 (Sustain), released to address CVE-2025-10035. Patch all instances immediately. If direct patching is temporarily impossible:
- Remove the Admin Console from all public exposure.
- Monitor for unusual activity—especially large file transfers or suspicious file utility use.
- Tighten network controls, enforce least privilege, and closely track privileged accounts.
Final Thoughts
GoAnywhere MFT remains a high-value target for advanced attackers, and CVE-2025-10035 presents the most severe risk possible: unauthenticated, remote command execution through a routinely internet-exposed service. Treat this like a fire drill—patch, segment, and monitor. Cybersecurity is often a race, and this time, adversaries have a head start.
