- Cybersecurity company Fortra disclosed a new critical vulnerability in GoAnywhere MFT
- It's unclear whether the vulnerability has been exploited in the wild, but past GoAnywhere MFT vulnerabilities have been targeted by ransomware and other threat actors
- Fixed versions are available and customers should restrict access to the admin console
Late on Thursday, September 18, cybersecurity firm Fortra published an advisory for CVE-2025-10035, a critical vulnerability in their GoAnywhere MFT solution. The vulnerability ultimately arises from a deserialization flaw in GoAnywhere MFT's license servlet, allowing remote attackers with “a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.” The vulnerability carries a CVSSv3 score of 10.
Fortra's advisory doesn't specify whether the issue has been exploited in the wild.
GoAnywhere MFT is a managed file transfer product that stores a wealth of sensitive data and is a crown jewel-type target particularly for ransomware and extortion groups. The vendor advisory lists the discovery date for CVE-2025-10035 as September 13, meaning the turnaround time from discovery to patch release was nominally only five days — an appropriately urgent (but still impressive) fix timeline for a product that has previously been exploited by ransomware and other groups:
- CVE-2023-0669, another deserialization vulnerability that led to command injection, was disclosed as a zero-day in early 2023 after being exploited by the Cl0p ransomware and extortion group in a hack that affected 100+ organizations; to date, the flaw is known to have been leveraged by at least five different ransomware groups.
- CVE-2024-0204, a critical authentication bypass, was disclosed in early 2024 and allowed adversaries to access the admin panel and add unauthorized admin users. CVE-2024-0204 isn't known to have been exploited en masse, but has had multiple weaponized public exploits available since January 2024; Shadowserver is still detecting ongoing exploitation attempts for this issue as of September 2025.
Notably, the vulnerability description and root cause of CVE-2025-10035 is virtually identical to the description of CVE-2023-0669.
Remediation
Fortra's advisory for CVE-2025-10035 doesn't specify affected versions, but advises GoAnywhere MFT customers to update to a patched version, namely 7.8.4 (latest) or 7.6.3 (“Sustain Release”). The vendor also notes that “exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet.”
Given GoAnywhere MFT's history of threat actor targeting, we'd advise making that update an immediate priority, along with ensuring the GoAnywhere MFT admin console isn't exposed to the public internet. In general, it's also advisable to implement egress filtering and alert on large file uploads, high-volume traffic to suspicious IPs or domains, and data transfer and archive utility usage.
As always, if the vulnerability turns out to have been exploited in the wild as a zero-day — which was unclear at time of disclosure — patching alone will not eradicate adversaries from compromised systems.
About VulnCheck
The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and abuse. For more research like this, see New Citrix NetScaler Zero-Day Vulnerability Exploited in the Wild, Command Injection in Jenkins via Git Parameter (CVE-2025-53652), and Still Up, Still Evil: A Look at Attacker Infrastructure Longevity.
Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.