A newly disclosed vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) platform has been assigned CVE-2025-10035, carrying the maximum CVSS score of 10.0. The flaw resides in the product’s License Servlet and poses a severe risk to organizations that expose their GoAnywhere Admin Console to the internet.
The issue stems from unsafe handling of serialized objects. According to the advisory, “A deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.”
In practice, this means a determined attacker could execute arbitrary code on vulnerable systems—effectively hijacking critical file transfer infrastructure that often manages sensitive corporate and government data.
Exploitation is heavily dependent on external exposure. Systems with their Admin Console accessible to the internet are at the highest risk. As noted in the advisory, “Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet.”
This mirrors patterns seen in previous GoAnywhere security incidents, where adversaries—including ransomware operators—rushed to exploit internet-facing MFT instances for initial access and data exfiltration.
Fortra has released GoAnywhere MFT version 7.8.4 and Sustain Release 7.6.3, which address the vulnerability. All organizations using affected versions are strongly urged to upgrade immediately.
As an immediate precaution, administrators should:
- Ensure the GoAnywhere Admin Console is not open to the public.
- Place the service behind a firewall or VPN to limit access to trusted networks.
- Monitor logs for suspicious activity involving license validation processes.
