Fortra released security updates for a critical severity vulnerability impacting GoAnywhere MFT’s License Servlet. Tracked as CVE-2025-10035, the vulnerability has a CVSS score of 10. Successful exploitation of the vulnerability may allow an attacker to achieve unauthenticated remote code execution.
CISA acknowledged the vulnerability’s active exploitation by adding it to its Known Exploited Vulnerabilities Catalog and urging users to patch it before October 20, 2025.
GoAnywhere MFT is a secure managed file transfer solution that provides smooth data sharing between systems, employees, clients, and business partners. It helps process information from files into XML, EDI, CSV, and JSON databases and offers centralized control with a wide range of security settings and complete audit trails.
Vulnerability Details
The deserialization vulnerability exists in Fortra’s GoAnywhere MFT’s License Servlet. The threat attacker must have a validly forged license response signature to deserialize an arbitrary actor-controlled object that can lead to command injection.
Qualys Threat Intelligence provided a Qualys Vulnerability Score (QVS) of 95 for the vulnerability. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.
Microsoft announced in an article on Monday that it has linked a threat group known as Storm-1175 to the exploitation of a critical vulnerability in Fortra’s GoAnywhere software, which was used to deploy the Medusa ransomware.
The article states, “The vulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection and potential remote code execution.”
Indicator of Compromise
Customers are advised to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject.
Affected Versions
The vulnerability affects the following versions:
- GoAnywhere MFT version before 7.8.4
- GoAnywhere MFT Sustain version before 7.6.3
Mitigation
Users must upgrade to the following versions:
- GoAnywhere MFT version 7.8.4 and later
- GoAnywhere MFT Sustain version 7.6.3 and later
For more information, please refer to Fortra Security Advisory.
Note: The users must ensure that access to the GoAnywhere Admin Console is not open to the public. Successful exploitation of this vulnerability highly depends on systems being externally exposed to the internet.
Qualys Detection
Qualys customers can scan their devices with QIDs 733215 and 530505 to detect vulnerable assets.
Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.fortra.com/security/advisories/product-security/fi-2025-012
https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/