CVE-2025-10035

CVE-2025-10035 is a critical-severity vulnerability in Fortra Goanywhere Managed File Transfer with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-09-29). The underlying weakness is classified as CWE-77.

Key facts

Description

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

CVE-2025-10035: Fortra GoAnywhere MFT License Servlet Deserialization to Command Injection

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2025-10035
Vendor Fortra
Product GoAnywhere Managed File Transfer (MFT)
CVSS 3.1 10.0 (Critical) — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE CWE-77: Command Injection
EPSS 0.99614 (99.94th percentile)
KEV Yes — Added 2025-09-29; actively exploited in the EU since 2025-09-29
Published 2025-09-18
Modified 2026-06-17

2) Summary

A deserialization flaw in the License Servlet of Fortra GoAnywhere MFT allows an actor who can forge a valid license response signature to supply an arbitrary serialized object. Deserialization of that object can lead to command injection (CWE-77), resulting in unauthenticated remote code execution with critical impact.

3) Background

Fortra GoAnywhere MFT is an enterprise managed file transfer solution used to automate and secure data movement workflows. The product includes a License Servlet that processes license validation responses from Fortra's licensing infrastructure. This servlet is the entry point for the vulnerability: it trusts and deserializes objects from externally supplied license response data.

4) Root cause

The root cause is CWE-77 (Command Injection) enabled by unsafe deserialization of actor-controlled data. The License Servlet deserializes an object from the license response without strict type validation or sandboxing. Because the attacker can forge a validly signed response, the application accepts and deserializes an arbitrary object supplied by the attacker. The deserialized object can then influence program execution in a way that allows command injection. This is a classic case of trusting data from a semi-trusted external channel (the license server) without adequate input validation at the deserialization boundary.

5) Impact

This vulnerability is scored CVSS 3.1 10.0 (Critical). The vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H translates to:

  • Network attack vector: Exploitable remotely over the network.
  • Low attack complexity: No special conditions or race conditions are required.
  • No privileges required: Unauthenticated.
  • No user interaction: The target user does not need to perform any action.
  • Changed scope: The vulnerable component can affect resources beyond its own security scope.
  • High impact on confidentiality, integrity, and availability.

In practice, successful exploitation grants the attacker the ability to execute arbitrary commands on the GoAnywhere MFT host, typically with the privileges of the application service account.

6) Exploitation walkthrough

Ethics caveat: This section describes the attack flow from a defensive perspective. No weaponized exploit code is provided. Security practitioners should use this information to design detection and mitigation strategies.

The attack proceeds through the following conceptual stages:

  1. Forge the license response signature. The attacker must produce a license response that carries a cryptographically valid signature accepted by the License Servlet. This is the primary prerequisite.
  2. Embed a malicious serialized object. The attacker constructs a serialized object payload designed to influence the application's behavior during or after deserialization.
  3. Trigger deserialization. The forged response is presented to the License Servlet. The servlet deserializes the attacker-controlled object, which can lead to command injection.
  4. Command execution. The injected command runs on the underlying operating system, typically with the privileges of the GoAnywhere MFT service.

From a defensive standpoint, the critical choke point is the deserialization boundary. Organizations should monitor for unexpected object types, deserialization anomalies, and process-spawning events originating from the GoAnywhere MFT process context.

7) Affected and patched versions

The specific affected version ranges and patched releases were not available in the source data used for this advisory. The CPE identifier broadly covers cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*. Administrators should consult Fortra's official security advisory (FI-2025-012) to confirm whether their deployed version is vulnerable and to obtain the exact patched release.

8) Remediation

  • Upgrade immediately to a patched version as specified in Fortra's advisory FI-2025-012.
  • Apply compensating controls if patching cannot be performed immediately:
    • Restrict network access to the GoAnywhere MFT administration and licensing interfaces to trusted administrative hosts only.
    • Deploy a Web Application Firewall (WAF) or network intrusion prevention system in front of the application, with rules tuned to detect anomalous serialized objects or unexpected license response patterns.
    • Ensure the GoAnywhere MFT service account runs with the least privilege necessary.
    • Monitor egress traffic from the GoAnywhere MFT host for unexpected connections.

9) Detection

  • Process monitoring: Alert on unexpected child process spawning from the GoAnywhere MFT application process (e.g., cmd.exe, /bin/sh, powershell.exe, or uncommon binaries).
  • Network monitoring: Inspect traffic associated with license validation callbacks. Look for unusually large responses or responses from non-Fortra IP addresses.
  • Application logging: Enable verbose deserialization logging if available. Alert on deserialization errors, class-not-found exceptions for unexpected types, or exceptions in the License Servlet context.
  • File integrity monitoring: Flag unexpected changes to GoAnywhere MFT configuration files or web application components that may follow post-exploitation activity.

10) Assessment

This CVE carries an EPSS score of 0.99614 (99.94th percentile), indicating an extremely high probability of active exploitation in the wild. It is confirmed in the CISA KEV catalog (added 2025-09-29) and is actively exploited in the EU (since 2025-09-29). Organizations should treat this as an imminent threat and prioritize patching or isolation.

Key lessons:

  1. Deserialization of externally supplied data is a high-risk anti-pattern. Even when the data is expected to come from a "trusted" third-party server (e.g., a license vendor), the application must validate type and content before deserialization.
  2. License and update mechanisms are high-value targets. Attackers understand that these paths often receive less security scrutiny than primary application features. Treat all external data channels as untrusted by default.

11) References

Frequently asked questions

What is CVE-2025-10035?
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
How severe is CVE-2025-10035?
CVE-2025-10035 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2025-10035 being actively exploited?
Yes. CVE-2025-10035 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-09-29, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2025-10035?
CVE-2025-10035 affects Fortra Goanywhere Managed File Transfer. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-10035?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2025-10035 have an EU (EUVD) identifier?
Yes. CVE-2025-10035 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-30225. It is also flagged as exploited in the EUVD (since 2025-09-29).
When was CVE-2025-10035 published?
CVE-2025-10035 was published on 2025-09-18 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Fortra Goanywhere Managed File Transfer

All CVEs affecting Fortra Goanywhere Managed File Transfer →

Other CWE-77 (Command Injection) vulnerabilities

Browse all CWE-77 (Command Injection) vulnerabilities →