CVE-2025-10035
CVE-2025-10035 is a critical-severity vulnerability in Fortra Goanywhere Managed File Transfer with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-09-29). The underlying weakness is classified as CWE-77.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-09-29)
- EU (EUVD) id: EUVD-2025-30225
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-09-29)
- Weakness: CWE-77
- Affected product: Fortra Goanywhere Managed File Transfer
- Published:
- Last modified:
Description
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
CVE-2025-10035: Fortra GoAnywhere MFT License Servlet Deserialization to Command Injection
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-10035 |
| Vendor | Fortra |
| Product | GoAnywhere Managed File Transfer (MFT) |
| CVSS 3.1 | 10.0 (Critical) — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-77: Command Injection |
| EPSS | 0.99614 (99.94th percentile) |
| KEV | Yes — Added 2025-09-29; actively exploited in the EU since 2025-09-29 |
| Published | 2025-09-18 |
| Modified | 2026-06-17 |
2) Summary
A deserialization flaw in the License Servlet of Fortra GoAnywhere MFT allows an actor who can forge a valid license response signature to supply an arbitrary serialized object. Deserialization of that object can lead to command injection (CWE-77), resulting in unauthenticated remote code execution with critical impact.
3) Background
Fortra GoAnywhere MFT is an enterprise managed file transfer solution used to automate and secure data movement workflows. The product includes a License Servlet that processes license validation responses from Fortra's licensing infrastructure. This servlet is the entry point for the vulnerability: it trusts and deserializes objects from externally supplied license response data.
4) Root cause
The root cause is CWE-77 (Command Injection) enabled by unsafe deserialization of actor-controlled data. The License Servlet deserializes an object from the license response without strict type validation or sandboxing. Because the attacker can forge a validly signed response, the application accepts and deserializes an arbitrary object supplied by the attacker. The deserialized object can then influence program execution in a way that allows command injection. This is a classic case of trusting data from a semi-trusted external channel (the license server) without adequate input validation at the deserialization boundary.
5) Impact
This vulnerability is scored CVSS 3.1 10.0 (Critical). The vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H translates to:
- Network attack vector: Exploitable remotely over the network.
- Low attack complexity: No special conditions or race conditions are required.
- No privileges required: Unauthenticated.
- No user interaction: The target user does not need to perform any action.
- Changed scope: The vulnerable component can affect resources beyond its own security scope.
- High impact on confidentiality, integrity, and availability.
In practice, successful exploitation grants the attacker the ability to execute arbitrary commands on the GoAnywhere MFT host, typically with the privileges of the application service account.
6) Exploitation walkthrough
Ethics caveat: This section describes the attack flow from a defensive perspective. No weaponized exploit code is provided. Security practitioners should use this information to design detection and mitigation strategies.
The attack proceeds through the following conceptual stages:
- Forge the license response signature. The attacker must produce a license response that carries a cryptographically valid signature accepted by the License Servlet. This is the primary prerequisite.
- Embed a malicious serialized object. The attacker constructs a serialized object payload designed to influence the application's behavior during or after deserialization.
- Trigger deserialization. The forged response is presented to the License Servlet. The servlet deserializes the attacker-controlled object, which can lead to command injection.
- Command execution. The injected command runs on the underlying operating system, typically with the privileges of the GoAnywhere MFT service.
From a defensive standpoint, the critical choke point is the deserialization boundary. Organizations should monitor for unexpected object types, deserialization anomalies, and process-spawning events originating from the GoAnywhere MFT process context.
7) Affected and patched versions
The specific affected version ranges and patched releases were not available in the source data used for this advisory. The CPE identifier broadly covers cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*. Administrators should consult Fortra's official security advisory (FI-2025-012) to confirm whether their deployed version is vulnerable and to obtain the exact patched release.
8) Remediation
- Upgrade immediately to a patched version as specified in Fortra's advisory FI-2025-012.
- Apply compensating controls if patching cannot be performed immediately:
- Restrict network access to the GoAnywhere MFT administration and licensing interfaces to trusted administrative hosts only.
- Deploy a Web Application Firewall (WAF) or network intrusion prevention system in front of the application, with rules tuned to detect anomalous serialized objects or unexpected license response patterns.
- Ensure the GoAnywhere MFT service account runs with the least privilege necessary.
- Monitor egress traffic from the GoAnywhere MFT host for unexpected connections.
9) Detection
- Process monitoring: Alert on unexpected child process spawning from the GoAnywhere MFT application process (e.g.,
cmd.exe,/bin/sh,powershell.exe, or uncommon binaries). - Network monitoring: Inspect traffic associated with license validation callbacks. Look for unusually large responses or responses from non-Fortra IP addresses.
- Application logging: Enable verbose deserialization logging if available. Alert on deserialization errors, class-not-found exceptions for unexpected types, or exceptions in the License Servlet context.
- File integrity monitoring: Flag unexpected changes to GoAnywhere MFT configuration files or web application components that may follow post-exploitation activity.
10) Assessment
This CVE carries an EPSS score of 0.99614 (99.94th percentile), indicating an extremely high probability of active exploitation in the wild. It is confirmed in the CISA KEV catalog (added 2025-09-29) and is actively exploited in the EU (since 2025-09-29). Organizations should treat this as an imminent threat and prioritize patching or isolation.
Key lessons:
- Deserialization of externally supplied data is a high-risk anti-pattern. Even when the data is expected to come from a "trusted" third-party server (e.g., a license vendor), the application must validate type and content before deserialization.
- License and update mechanisms are high-value targets. Attackers understand that these paths often receive less security scrutiny than primary application features. Treat all external data channels as untrusted by default.
11) References
Frequently asked questions
- What is CVE-2025-10035?
- A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
- How severe is CVE-2025-10035?
- CVE-2025-10035 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-10035 being actively exploited?
- Yes. CVE-2025-10035 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-09-29, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-10035?
- CVE-2025-10035 affects Fortra Goanywhere Managed File Transfer. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-10035?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-10035 have an EU (EUVD) identifier?
- Yes. CVE-2025-10035 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-30225. It is also flagged as exploited in the EUVD (since 2025-09-29).
- When was CVE-2025-10035 published?
- CVE-2025-10035 was published on 2025-09-18 and last updated on 2026-06-17.
References
- https://www.fortra.com/security/advisories/product-security/fi-2025-012
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10035
Affected products (1)
- cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*
More vulnerabilities in Fortra Goanywhere Managed File Transfer
- CVE-2024-0204 — Critical (CVSS 9.8): Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via…
- CVE-2025-14362 — High (CVSS 7.3): The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User…
- CVE-2023-0669 — High (CVSS 7.2): Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the…
- CVE-2026-1089 — Medium (CVSS 6.5): User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS…
- CVE-2024-25157 — Medium (CVSS 6.5): An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent…
- CVE-2024-25156 — Medium (CVSS 6.5): A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent…
All CVEs affecting Fortra Goanywhere Managed File Transfer →
Other CWE-77 (Command Injection) vulnerabilities
- CVE-2026-23652 — Critical (CVSS 10.0): Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an…
- CVE-2025-59818 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file…
- CVE-2025-64093 — Critical (CVSS 10.0): Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the…
- CVE-2025-64090 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
- CVE-2025-61492 — Critical (CVSS 10.0): A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to…
- CVE-2024-48841 — Critical (CVSS 10.0): Network access can be used to execute arbitrary code with elevated privileges. This issue affects FLXEON 9.3.4…