CVE-2025-10035 Critical Remote Code Execution in Fortra GoAnywhere MFT
In this article
What is CVE-2025-10035?
A new critical vulnerability, CVE-2025-10035, has been disclosed in Fortra’s GoAnywhere MFT, a widely used managed file transfer solution. The flaw lies in the License Servlet and allows unauthenticated attackers to achieve remote code execution (RCE) through crafted license responses. The vendor has rated this vulnerability as Critical (CVSS 10.0) due to its potential for complete system compromise over the network.
IONIX has added CVE-2025-10035 to our Threat Center, pin-pointing potentially affected assets for our customers.
Technical Details of CVE-2025-10035
- Vulnerability type: Insecure deserialization leading to command injection
- Affected versions: GoAnywhere MFT up to and including 7.8.3
- Fixed versions: 7.8.4 (latest) and Sustain Release 7.6.3
- Attack vector: Network, unauthenticated, no user interaction
- Root causes: CWE-502 (Deserialization of untrusted data), CWE-77 (Command injection)
The flaw arises when GoAnywhere’s License Servlet processes forged license responses. If attackers can bypass signature checks, they can inject malicious objects into the deserialization flow, leading to arbitrary command execution with the privileges of the MFT service.
Risk & Impact of Fortra GoAnywhere MFT CVE
- Who is at risk: Any organization with an internet-exposed GoAnywhere MFT instance (especially those exposing the Admin Console or License Servlet).
- Impact: Complete server compromise, potential lateral movement, theft of sensitive files, credential exposure, and use of the MFT as a beachhead for further attacks.
- Current exploitation status: No public exploit code or active exploitation observed as of publication. However, the ease of exploitation and attractiveness of the target make this a high-priority patching event.
What Security Teams Should Do Immediately
- Patch now: Upgrade to 7.8.4 or Sustain Release 7.6.3.
- Restrict access: Remove public internet access to the Admin Console and License Servlet until patched. Place these interfaces behind VPN or firewall restrictions.
- Monitor logs: Look for unusual or malformed license response requests, serialized payloads, or repeated validation failures.
- Hunt for compromise: Investigate signs of suspicious process execution, new users, or unexpected outbound traffic from MFT servers.
- Prepare incident response: If compromise is suspected, rotate credentials and certificates associated with the MFT system.
How IONIX Helps
At IONIX, our External Exposure Management Platform gives security teams the visibility and intelligence they need to stay ahead of critical vulnerabilities like CVE-2025-10035:
- Discovery & mapping: We continuously identify internet-facing assets, including hidden or forgotten GoAnywhere instances.
- Potentially affected assets: For this CVE, we provide customers with a prioritized list of assets that could be vulnerable, based on version and exposure.
- Threat Center integration: Customers are notified in real time when new zero-days and high-risk CVEs appear, along with actionable remediation guidance.
- Operationalization: Our platform integrates with SIEM, SOAR, and ticketing systems like Splunk, Sentinel, Jira, and ServiceNow for rapid triage and remediation.
By focusing on true exposures rather than theoretical risks, IONIX empowers teams to reduce risk at scale and stay ahead of attacker activity.
CVE-2025-10035 is a critical, network-exploitable vulnerability with the potential for full compromise of exposed GoAnywhere MFT servers. While no exploitation has yet been reported, the severity and simplicity of the flaw make it imperative to patch immediately. Organizations must act quickly to inventory affected systems, apply vendor fixes, and restrict exposure.
IONIX is here to help security teams navigate this threat with prioritized exposure data and actionable insights.
