External risk intelligence

Fortra GoAnywhere MFT Command Injection Vulnerability.

CVE advisoryKnown Exploit

CVE-2025-10035

A deserialization vulnerability in Fortra's GoAnywhere MFT may allow an attacker to execute commands, potentially impacting systems and data.

5Halo Surface Signal

Deserialization

Fortra Goanywhere Managed File Transfer

before 7.6.37.7.0 to before 7.8.4

External exposure likelihood

Halo Surface Signal score for CVE-2025-10035

GoAnywhere MFT is an enterprise managed file transfer solution designed to be network-accessible for data exchange. As a product meant to facilitate external file transfers, its interface is commonly exposed to the internet or edge gateways to support partner and client connectivity, making it a public-facing service by design.

Horizon Alert

Summary of the vulnerability and why it matters

A deserialization flaw within the License Servlet of Fortra's GoAnywhere MFT presents a significant security risk. This vulnerability allows an attacker, by using a forged license response signature, to deserialize an object that can lead to the execution of arbitrary commands. The primary concern stems from the potential for command injection, which could compromise the integrity and confidentiality of systems and data.

Vulnerable: Fortra GoAnywhere MFT License Servlet
Flaw: Deserializes arbitrary, actor-controlled objects
Impact: Potential command injection and data compromise

Attack Path

How an attacker could exploit the issue

An actor can exploit a deserialization vulnerability in the License Servlet to achieve command injection. This attack allows an attacker to deserialize an arbitrary object by using a validly forged license response signature. The successful exploitation of this vulnerability can lead to the execution of arbitrary commands on the affected system.

Exposed License Servlet
Forged license response signature
Deserialization leads to command injection

Live Threat

Current exploitation, exposure, and threat context

A critical deserialization vulnerability in Fortra's GoAnywhere MFT allows an attacker to execute arbitrary code on affected systems. This could lead to significant business disruption, including data exfiltration, ransomware deployment, and lateral movement within an organization's network. Organizations using the affected software should prioritize applying patches or implementing workarounds to mitigate this risk.

Likely attacker skill level: High
Required access or conditions: Publicly exposed admin console
Business risk or urgency: Critical; immediate action required

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A critical deserialization vulnerability has been identified in Fortra's GoAnywhere MFT. This flaw could allow an attacker to execute arbitrary commands by crafting a malicious license response. The vulnerability has been listed as actively exploited, indicating a significant risk to organizations using the affected product.

Identify GoAnywhere MFT assets.
Restrict network access.
Apply vendor updates and verify.
Monitor for related activity.

Frequently asked questions

What is Fortra GoAnywhere MFT used for?

Fortra GoAnywhere MFT is a managed file transfer solution used by organizations to securely automate, exchange, and manage data transfers. It supports various industry-standard protocols and helps meet compliance requirements for data security and privacy.

What is the vulnerability in CVE-2025-10035?

CVE-2025-10035 is a deserialization vulnerability (CWE-502) in GoAnywhere MFT's License Servlet. It allows an attacker with a forged license signature to deserialize an arbitrary object, potentially leading to command injection (CWE-77).

How can an attacker exploit this GoAnywhere MFT vulnerability?

An attacker needs a validly forged license response signature to exploit this vulnerability. This allows them to deserialize an arbitrary object, which can then lead to command injection on the affected system.

Who should be concerned about CVE-2025-10035?

Organizations using Fortra GoAnywhere MFT should be concerned, especially if their admin console is publicly accessible. This product is designed for network accessibility, often exposing it to the internet for partner and client connectivity, making it a potential target for external threats.

What are the first steps to address this threat?

Identify all GoAnywhere MFT assets, apply the latest vendor updates (versions 7.6.3 or 7.8.4 are not affected), and restrict network access to the admin console where possible. Monitoring for suspicious activity in logs is also recommended.

References

Cyber Threat Intelligence (CTI)

Sources: malpedia, threatActor

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.