Critical Vulnerability Alert: CVE-2025-10035 in GoAnywhere MFT

Tags:

Critical Vulnerability Alert- CVE-2025-10035 in GoAnywhere MFT
emma-stevens-bio-portrait
Written by Emma Stevens
Threat Intelligence Researcher

A critical security vulnerability (CVE-2025-10035) has been identified in GoAnywhere MFT, a widely used file transfer solution developed by Fortra. This software is commonly deployed to securely transfer sensitive data such as financial records, HR files, legal documents, and personally identifiable information (PII).

Currently, CVE-2025-10035 is rated at a 10.0 (critical) on the CVSS scale and a 9.23 out of 10 on Bitsight’s Dynamic Vulnerability Exploit (DVE) scale. Fortra recommends immediate update to GoAnywhere MFT 7.8.4 and sustain release 7.6.3, if possible.

CVE-2025-10035 overview

The flaw resides in the license validation mechanism of the platform and allows attackers to forge a malicious license response. This bypasses validation checks and triggers unauthorized system commands, potentially granting remote access to the underlying system. This behavior results from the software's failure to properly sanitize input, potentially allowing attackers to insert specially crafted characters and trigger command injection.

At a deeper level, this is classified as a deserialization vulnerability, meaning the application blindly processes serialized input. This means that the system is assuming the incoming data is safe and verified. Because the GoAnywhere MFT does not properly validate incoming data, this vulnerability can allow attackers to gain unauthorized access. Without proper verification, the system cannot verify whether the information it receives is safe. If an attacker sends specially crafted input, the system may process it as if it were fully validated and trusted, which may result in attacker-controlled code. This could lead to serious consequences such as data theft, loss of PII, lateral movement, and full system compromise.

According to Bitsight Threat Intelligence, no public proof-of-concept (PoC) exploit has been released at this time, and the vulnerability has not been linked to any known ransomware operations or Advanced-Persistent Threat (APT) groups. However, based on publicly available reporting and third-party research, there are indications of limited in-the-wild exploitation. Notably, WatchTowr Labs reported credible signs of exploitation dating back to earlier this month, September 2025, though this has not been independently confirmed by Fortra.

Additionally, Bitsight has observed active discussions of CVE-2025-10035 on cybercriminal forums, indicating growing interest that may lead to broader exploitation. As such, this vulnerability should be treated as a high-priority threat, especially in environments where GoAnywhere MFT is publicly accessible or handles high-value data.

CVE-2025-10035 technical overview

  • Vulnerability Type: Deserialization vulnerability
  • Affected Component: License Servlet in GoAnywhere MFT
  • Potential Impact: Remote command execution
  • CVSS Score: 10.0 (Critical)
  • DVE Score: 9.23 (Bitsight intelligence scoring)

Why this matters

  • Remote attackers may gain full control of vulnerable systems.
  • GoAnywhere MFT handles highly sensitive business data, increasing the risk of data breaches and regulatory impact.
  • Cybercriminal chatter is increasing, a common precursor to more widespread attacks.
  • Systems exposed to the public internet (particularly the Admin Console or License Servlet) are at significantly higher risk.

These scores reflect both the technical severity and the likelihood of real-world exploitation, particularly in externally exposed deployments.

CVE-2025-10035 impact to organizations

Organizations using GoAnywhere MFT may face:

  • Unauthorized remote code execution
  • Data exfiltration through compromised file transfers
  • Persistent access for lateral movement
  • Delayed detection, as deserialization-based exploits can evade standard security tools

Recommendations

1. Immediate patch application
Fortra recommends immediate update to GoAnywhere MFT 7.8.4 and sustain release 7.6.3, if possible. This is the most effective and reliable mitigation. If immediate updates are not possible, Fortra recommends severely limiting or completely removing public access to the GoAnywhere Admin Console / license servlet.

2. Enhanced security monitoring
Deploy SIEM and EDR rules to detect:

  • Unusual license validation activity
  • Command injection patterns
  • Suspicious process spawning from the MFT application

3. Access controls review
Ensure the License Servlet and Admin Console are not exposed to the public internet and are protected by network segmentation, VPN access, and strong authentication.

4. Incident response readiness
Equip incident response teams to detect and react to indicators of exploitation, such as:

  • Unusual admin login behavior
  • Anomalous outbound traffic
  • Log entries referencing SignedObject.getObject

5. Engage with Fortra
Monitor Fortra’s updates for patches, IOCs, and evolving guidance on this vulnerability.

6. Monitor third and fourth party vendors
Monitor vendors to ensure your vendors are not leaving you at risk for exposure or data loss.

Our perspective: Threat landscape and context

Although no ransomware campaigns or APT groups have been publicly linked to CVE-2025-10035, its presence in underground forums and reported signs of active exploitation suggest that opportunistic threat actors may already be leveraging the flaw.

This follows a broader trend seen with prior MFT vulnerabilities, such as MOVEit (2023) and Accellion FTA (2020), where attackers rapidly weaponized similar bugs for data theft, persistence, and extortion.

Bitsight Cyber Threat Intelligence supports your organization by:

  • Identifying external signals of exposure (e.g., internet-facing unpatched GoAnywhere instances)
  • Alerting on threat actor chatter related to CVE-2025-10035
  • Correlating the vulnerability with ongoing MFT-related attack campaigns
  • Delivering executive-ready risk insights to drive faster and more informed decisions
  • Third and Fourth party vendor monitoring
  • Threat actor profiling of actors targeting or discussing this CVE

CVE-2025-10035 is not just a technical flaw, it’s a business risk. Exploitation could result in data loss, reputational damage, and regulatory exposure. Taking swift, proactive measures like updating the application, leveraging timely cyber threat intelligence, and third party risk management is critical to minimizing organizational risk and staying ahead of threat actors.

To learn more about CVE-2025-10035 or to talk with a Cyber Threat Intelligence expert, contact our team today.

Bitsight Pulse right rail CTA immediacy