CVE-2025-10035: 
GoAnywhere MFT 脆弱性の分析と軽減

A critical deserialization vulnerability (CVE-2025-10035) was discovered in the License Servlet of Fortra's GoAnywhere MFT. The vulnerability, disclosed on September 18, 2025, allows an attacker with a validly forged license response signature to deserialize an arbitrary actor-controlled object, potentially leading to command injection. The vulnerability affects versions prior to 7.8.4 and 7.6.3 of GoAnywhere MFT and has received a maximum CVSS score of 10.0 (Fortra Advisory, NVD).

The vulnerability exists in the License Servlet component exposed at /goanywhere/lic/accept/. The flaw involves a complex authentication bypass of the License Servlet through manipulation of the license request token validation process. An attacker can bypass authentication requirements by appending invalid data to specific endpoints and triggering exceptions that lead to the generation of valid license request tokens. This allows access to the vulnerable deserialization routine (WatchTowr Labs).

The vulnerability allows attackers to achieve remote code execution and create backdoor admin accounts in affected systems. Given that GoAnywhere MFT is deployed in Fortune 500 companies with over 20,000 instances exposed to the Internet, the potential impact is severe. The solution's role in handling sensitive file transfers makes it an particularly attractive target for threat actors (Arctic Wolf).

Organizations are strongly advised to upgrade to the fixed versions: 7.8.4 (latest release) or 7.6.3 (sustain release). Additionally, Fortra recommends ensuring that the GoAnywhere Admin Console is not publicly accessible from the internet, as exploitation is highly dependent on systems being externally exposed (Arctic Wolf).

The security community has expressed significant concern about this vulnerability, particularly given GoAnywhere's history with previous critical vulnerabilities like CVE-2023-0669 that led to widespread compromises by the cl0p ransomware gang. There has also been criticism of Fortra's handling of the disclosure, particularly regarding transparency about in-the-wild exploitation despite being a signatory of CISA's Secure By Design pledge (WatchTowr Labs).