CVE-2025-10035: 
GoAnywhere MFT vulnerability analysis and mitigation

A critical deserialization vulnerability (CVE-2025-10035) was discovered in Fortra's GoAnywhere MFT's License Servlet on September 18, 2025. The vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, potentially leading to command injection. The flaw affects versions prior to 7.8.4 and 7.6.3 of GoAnywhere MFT and has been assigned the maximum CVSS score of 10.0 (Fortra Advisory, Arctic Wolf).

The vulnerability is a deserialization flaw located in the License Servlet component of GoAnywhere MFT. It has been assigned CWE-77 and CWE-502 classifications for Command Injection and Deserialization of Untrusted Data respectively. The severity is rated as Critical with a CVSS v3.1 score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and no required privileges or user interaction (Fortra Advisory, Hacker News).

If successfully exploited, the vulnerability could allow attackers to execute arbitrary commands on the affected system. Given that GoAnywhere MFT solutions are used for sensitive file transfers in enterprise environments, successful exploitation could lead to significant data breaches. This is particularly concerning given the product's history, as it was previously targeted by ransomware groups in 2023 through different vulnerabilities (Rapid7, Hacker News).

Fortra has released patches to address the vulnerability in versions 7.8.4 (latest release) and 7.6.3 (sustain release). Organizations are strongly advised to upgrade to these patched versions immediately. As an additional mitigation measure, organizations should ensure that access to the GoAnywhere Admin Console is not open to the public internet (Fortra Advisory, Arctic Wolf).

Security researchers emphasize the critical nature of this vulnerability, particularly given GoAnywhere MFT's history as a target for ransomware groups. Ryan Dewhurst, head of proactive threat intelligence at watchTowr, noted that the vulnerability impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023 (Hacker News).