Fortra released security updates for a critical severity vulnerability impacting GoAnywhere MFT’s License Servlet. Tracked as CVE-2025-10035, the vulnerability has a CVSS score of 10. Successful exploitation of the vulnerability may allow an attacker to achieve unauthenticated remote code execution.
GoAnywhere MFT is a secure managed file transfer solution that provides smooth data sharing between systems, employees, clients, and business partners. It helps process information from files into XML, EDI, CSV, and JSON databases and offers centralized control with a wide range of security settings and complete audit trails.
Vulnerability Details
The deserialization vulnerability exists in Fortra’s GoAnywhere MFT’s License Servlet. The threat attacker must have a validly forged license response signature to deserialize an arbitrary actor-controlled object that can lead to command injection.
Indicator of Compromise
Customers are advised to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject.
Affected Versions
The vulnerability affects the following versions:
- GoAnywhere MFT version before 7.8.4
- GoAnywhere MFT Sustain version before 7.6.3
Mitigation
Users must upgrade to the following versions:
- GoAnywhere MFT version 7.8.4 and later
- GoAnywhere MFT Sustain version 7.6.3 and later
For more information, please refer to Fortra Security Advisory.
Note: The users must ensure that access to the GoAnywhere Admin Console is not open to the public. Successful exploitation of this vulnerability highly depends on systems being externally exposed to the internet.
Qualys Detection
Qualys customers can scan their devices with QID 733215 to detect vulnerable assets.
Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.fortra.com/security/advisories/product-security/fi-2025-012