CVSS 10 in Fortra GoAnywhere MFT – Patch Now!
CVE-2025-10035 (CVSS 10.0) is a new critical severity vulnerability in Fortra GoAnywhere MFT (Managed File Transfer). This maximum-risk CVE could provide attackers with unauthenticated remote command execution (RCE). Greenbone can detect vulnerable systems and all users should patch with urgency.
GoAnywhere MFT is a centralized Managed File Transfer (MFT) platform enabling file exchanges between business partners, customers, and within an organization. The application also provides auditing and compliance reporting.
The root cause of this CVE is a deserialization flaw [CWE-502] in Fortra GoAnywhere MFT’s License Servlet that allows attackers to forge a license response signature to inject and execute arbitrary commands [CWE-77]. Although in-the-wild exploitation has not been confirmed, Fortra GoAnywhere has been a hot target for ransomware attacks in the past. In 2023, CVE-2023-0669 (CVSS 7.2) was targeted by Clop ransomware operator, resulting in multiple high-profile breaches. No public PoCs for CVE-2025-10035 are available yet, but a detailed technical analysis is. However, this technical analysis does not include a complete exploit chain – some exploit chain details remain unconfirmed.
CVE-2025-10035 has prompted national CERT alerts from Canada’s Canadian Centre for Cyber Security [1], the Netherlands’ NCSC-NL [2], and India’s CERT-In [3]. Also, Germany’s BSI assigned an alert [WID-SEC-2025-2090], and a CVSS Temporal score of 8.7, reflecting an unverified exploitation status (E:U), availability of official remediation (RL:O), and strong confidence in the report (RC:C).
A remote version check was swiftly added to Greenbone’s OPENVAS ENTERPRISE FEED, allowing defenders to identify vulnerable instances of Fortra GoAnywhere MFT.
Risk Assessment for CVE-2025-10035 in Fortra GoAnywhere
Going simply by the CVSS 10 rating, the risk posed by CVE-2025-10035 is extremely high if GoAnywhere’s Admin Console is exposed to the Internet. According to the analysis, attack complexity is considered low, no user interaction is required, and exploitation could result in complete system takeover.
However, public exposure is not a prerequisite for exploitation. Instances on a private network could also be exploited via so-called “malicious insider” threats or trusted third-parties [T1199]. Verizon’s 2025 DBIR (Data Breach Investigations Report) identifies Privilege Misuse (described as nefarious schemes from insider threats) as the primary root cause of 8% of breaches studied from 2024. This is a surprising figure, which erodes the belief that only public-facing vulnerabilities pose a primary threat to cyber resilience.
Technical Analysis of CVE-2025-10035 in Fortra GoAnywhere
GoAnywhere’s License Servlet is used for activating the GoAnywhere MFT license bundle as part of the setup, renewal, and migration processes. The License Servlet involves Java deserialization of the encoded “SignedObject”. In the case of CVE-2025-10035, this deserialization process could reportedly lead to RCE.
Analysis from Watchtowr evidences a pre-authentication flaw that returns an auth token via the Unlicensed.xhtml page, even when an instance has already been licensed. A malformed HTTP GET request to the route such as /goanywhere/license/Unlicensed.xhtml/x? erroneously creates a valid license-request token and returns it encrypted within a bundled data object. This occurs because the error handler function, AdminErrorHandlerServlet, internally generates a valid license-request token, associates it with the unauthenticated session, and returns it to the user within the aforementioned serialized data object. This data bundle is encrypted with a hard-coded key, which can be decrypted offline to reveal the GUID auth token in plaintext.
Once the GUID token is recovered, unauthenticated attackers can use it to access the License Servlet endpoint POST /goanywhere/lic/accept/<GUID> … bundle=<payload> passing a malicious, serialized payload. However, the attack mechanism for deserializing the payload is yet unknown because the payload needs to be signed by Fortra’s own valid private key. Security researchers have pointed to potential mechanisms such as a stolen private key or the existence of malicious payload(s) having been mistakenly signed by Fortra’s private key.
Mitigating CVE-2025-10035 in Fortra GoAnywhere
Fortra has released a security advisory [FI-2025-012] with mitigation instructions for CVE-2025-10035. Full mitigation requires upgrading to a fixed release: either to 7.8.4 (latest) or 7.6.3 (Sustain). Temporary mitigation can be achieved by restricting Admin Console access.
Fortra also advises all users to hunt for Indicators of Compromise (IoC), namely stack trace logs indicating an error for the SignedObject.getObject. Presence of this string strongly suggests the instance has been exploited by attackers. Following best practices, affected parties may also want to provide status updates to customers and other third-party stakeholders.
Summary
CVE-2025-10035 is a CVSS 10, maximum severity deserialization flaw in GoAnywhere MFT which may allow unauthenticated RCE. In 2023 attackers leveraged another CVE in GoAnywhere MFT for widespread exploitation, and national CERTs have issued alerts, signifying high risk. The OPENVAS ENTERPRISE FEED includes a version check to detect vulnerable instances in their infrastructure. End users should identify public-facing and locally deployed instances and patch with urgency.
Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.
