Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands.
The vulnerability, tracked as CVE-2025-10035, carries a CVSS score of 10.0, indicating maximum severity.
“A deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” Fortra said in an advisory released Thursday.
The company also noted that successful exploitation of the vulnerability is dependent on the system being publicly accessible over the internet.
Users are advised to update to the patched release – version 7.8.4, or the Sustain Release 7.6.3 – to safeguard against potential threats. If immediate patching is not possible, it’s advisable to ensure that access to the GoAnywhere Admin Console is not open to the public.
Fortra makes no mention of the flaw being exploited in the wild. That said, previously disclosed shortcomings in the same product (CVE-2023-0669, CVSS score: 7.2) were abused as a zero-day by ransomware actors to steal sensitive data.
Then, early last year, it addressed another critical vulnerability in the GoAnywhere MFT (CVE-2024-0204, CVSS score: 9.8) that could have been exploited to create new administrator users.
“The newly disclosed vulnerability in Fortra’s GoAnywhere MFT solution impacts the same license code path in the Admin Console as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in a statement shared with The Hacker News.
“With thousands of GoAnywhere MFT instances exposed to the Internet, this issue is almost certain to be weaponized for in-the-wild exploitation soon. While Fortra notes exploitation requires external exposure, these systems are generally Internet-facing by design, so organizations should assume they are vulnerable. Organizations should apply the official patches immediately and take steps to restrict external access to the Admin Console.”
