CVE-2025-10035
published 2025-09-18CVE-2025-10035: A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-10-20
Exploited in the wild
EPSS
99.61%
99.9th percentile
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortra | goanywhere_managed_file_transfer | < 7.6.3 | 7.6.3 |
| fortra | goanywhere_managed_file_transfer | >= 7.7.0 < 7.8.4 | 7.8.4 |
| fortra | goanywhere_mft | <= 7.8.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Search GoAnywhere MFT log files for stack trace errors containing the string 'SignedObject.getObject' to identify exploitation attempts. ↗
- →Hunt for creation of a backdoor admin account named 'admin-go' in GoAnywhere MFT, which was observed post-exploitation. ↗
- →Monitor for RMM tools SimpleHelp and MeshAgent being launched on GoAnywhere MFT hosts as persistence indicators attributed to Storm-1175. ↗
- →Detect Netscan execution on GoAnywhere MFT hosts as a network reconnaissance indicator post-exploitation. ↗
- →Detect Rclone execution on GoAnywhere MFT hosts as a data exfiltration indicator post-exploitation. ↗
- →Monitor Admin Audit logs in GoAnywhere MFT for suspicious activity as recommended by Fortra to detect compromise. ↗
- →Exploitation involves achieving remote command execution via pre-auth deserialization in the License Servlet, followed by secondary payload upload and execution. ↗
- ·The vulnerability requires the attacker to possess a validly forged license response signature to trigger deserialization; this is a prerequisite for exploitation. ↗
- ·Patched versions are GoAnywhere MFT 7.8.4 (latest) and 7.6.3 (Sustain Release); systems not yet upgraded remain vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
cisa·2025-09-29·CVSS 9.8
CVE-2025-10035 [CRITICAL] CWE-502 Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
Vulnerability: Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
Affected: Fortra GoAnywhere MFT
Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.fortra.com/security/advisories/product-security/fi-2025-012 ; https://nvd.nist.gov/vuln/detail/CVE-2025-10035
Remediation Due Date: 2025-10-20
GHSA
GHSA-fcfw-g3g2-2588: A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to
ghsa_unreviewed·2025-09-19
CVE-2025-10035 [CRITICAL] CWE-77 GHSA-fcfw-g3g2-2588: A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
VulnCheck
Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
vulncheck·2025·CVSS 10.0
CVE-2025-10035 [CRITICAL] CWE-502 Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
Affected: Fortra GoAnywhere MFT
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-10035; https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/; https://www.cisa.gov/sites/default/files/feeds/known_
VulnCheck
Fortra GoAnywhere MFT Remote Code Execution Vulnerability
vulncheck·2023·CVSS 7.2
CVE-2023-0669 [HIGH] CWE-502 Fortra GoAnywhere MFT Remote Code Execution Vulnerability
Fortra GoAnywhere MFT Remote Code Execution Vulnerability
Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object.
Affected: Fortra GoAnywhere MFT
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.hhs.gov/sites/default/files/clop-allegedly-targeting-healthcare-industry-sector-alert.pdf; https://www.rubrik.com/blog/company/23/3/fortra-goanywhere; https://www.bleepingcomputer.com/news/security/hitachi-energy-
Suricata
ET HUNTING Fortra GoAnywhere MFT Insecure Deserialization via License Servlet (CVE-2025-10035)
suricata·2025-09-25·CVSS 10.0
CVE-2025-10035 [CRITICAL] ET HUNTING Fortra GoAnywhere MFT Insecure Deserialization via License Servlet (CVE-2025-10035)
ET HUNTING Fortra GoAnywhere MFT Insecure Deserialization via License Servlet (CVE-2025-10035)
Rule: alert http any any -> $HOME_NET any (msg:"ET HUNTING Fortra GoAnywhere MFT Insecure Deserialization via License Servlet (CVE-2025-10035)"; flow:established,to_server; flowbits:isset,ET.GoAnywhere.CVE-2025-10035; http.uri; content:"/goanywhere/lic/accept/"; fast_pattern; http.request_body; content:"bundle|3d|"; startswith; http.method; content:"POST"; reference:url,labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/; reference:cve,2025-10035; classtype:web-application-attack; sid:2064922; rev:1; metadata:affected_product Fortra_GoAnywhere, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_25, cve CVE_2025_10035, deployment Perimeter, deployment Internal, de
Suricata
ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Authentication Bypass via License Servlet (CVE-2025-10035)
suricata·2025-09-25·CVSS 10.0
CVE-2025-10035 [CRITICAL] ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Authentication Bypass via License Servlet (CVE-2025-10035)
ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Authentication Bypass via License Servlet (CVE-2025-10035)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Authentication Bypass via License Servlet (CVE-2025-10035)"; flow:established,to_server; flowbits:set,ET.GoAnywhere.CVE-2025-10035; http.uri; content:"/license/Unlicensed.xhtml/"; fast_pattern; content:"javax.faces.ViewState|3d|"; content:"GARequestAction|3d|activate"; reference:url,labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/; reference:cve,2025-10035; classtype:web-application-attack; sid:2064920; rev:1; metadata:affected_product Fortra_GoAnywhere, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_25, cve CVE_2025_10035, deployment Perimeter, deployment Int
Suricata
ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Response Valid License Request Token Disclosure
suricata·2025-09-25·CVSS 10.0
CVE-2025-10035 [CRITICAL] ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Response Valid License Request Token Disclosure
ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Response Valid License Request Token Disclosure
Rule: alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Response Valid License Request Token Disclosure"; flow:established,to_client; flowbits:isset,ET.GoAnywhere.CVE-2025-10035; http.stat_code; content:"302"; http.location; content:"/lic/request|3f|bundle|3d|"; fast_pattern; reference:url,labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/; classtype:web-application-attack; sid:2064921; rev:1; metadata:affected_product Fortra_GoAnywhere, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_25, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Minor, tag Description_Generated_By_Proo
Nuclei
GoAnywhere - Authentication Bypass
nuclei·CVSS 9.8
CVE-2025-10035 [CRITICAL] GoAnywhere - Authentication Bypass
GoAnywhere - Authentication Bypass
Fortra GoAnywhere MFT contains an insecure deserialization vulnerability in the License Servlet caused by deserializing attacker-controlled objects with a valid forged license response signature, letting attackers perform command injection, exploit requires valid forged license signature.
Template:
id: CVE-2025-10035
info:
name: GoAnywhere - Authentication Bypass
author: DhiyaneshDk,watchtowr
severity: critical
description: |
Fortra GoAnywhere MFT contains an insecure deserialization vulnerability in the License Servlet caused by deserializing attacker-controlled objects with a valid forged license response signature, letting attackers perform command injection, exploit requires valid forged license signature.
reference:
- https://labs.watchtowr.com/i
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
Crying Out Cloud Newsletter - October 2025 | Wiz
blogs_wiz·2025-10-12·CVSS 9.9
[CRITICAL] Crying Out Cloud Newsletter - October 2025 | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure.
## 🔍 Highlights
## Shai-Hulud: Package Supply Chain Compromise Delivering Data-Stealing Malware
On September 15, 2025, malicious versions of multiple popular packages were published to npm. They contained a post-install script that harvested sensitive data and exfiltrated it to attacker-created public GitHub repos named Shai-Hulud . Beyond data theft, the malware exhibits worm-like behaviour: when a compromised package encounters additional npm tokens in its environment, it will automatically publish malicious versions of any packages it can access - spreading acr
Microsoft
Ransomware | Latest Threats | Microsoft Security Blog
blogs_microsoft·2025-10-06·CVSS 10.0
CVE-2025-10035 [CRITICAL] Ransomware | Latest Threats | Microsoft Security Blog
- October 6, 2025
- 8 min read
### Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability
Storm-1175, a financially motivated actor known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the deserialization vulnerability in GoAnywhere MFT’s License Servlet, tracked as CVE-2025-10035.
Bleepingcomputer
Microsoft: Critical GoAnywhere bug exploited in ransomware attacks
blogs_bleepingcomputer·2025-10-06·CVSS 10.0
CVE-2025-10035 [CRITICAL] Microsoft: Critical GoAnywhere bug exploited in ransomware attacks
## Microsoft: Critical GoAnywhere bug exploited in ransomware attacks
## Sergiu Gatlan
While Fortra patched the vulnerability on September 18 without mentioning active exploitation, security researchers at WatchTowr Labs tagged it as exploited in the wild one week later, after receiving "credible evidence" that CVE-2025-10035 had been leveraged as a zero-day since September 10.
## Exploited in Medusa ransomware attacks
Today, Microsoft confirmed WatchTowr Labs' report, stating that a known Medusa ransomware affiliate it tracks as Storm-1175 has been exploiting this vulnerability in attacks since at least September 11, 2025.
"Microsoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Stor
Checkpoint
6th October – Threat Intelligence Report
blogs_checkpoint·2025-10-06
CVE-2025-41244 6th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 6th October, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Red Hat has confirmed a cyber attack that resulted in unauthorized access to one of its GitLab instances. The attackers, Crimson Collective, claim to have stolen approximately 570GB of compressed data. The data includes 28,000 internal repositories, including around 800 Customer Engagement Reports containing sensitive infra
Microsoft
Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability
blogs_microsoft·2025-10-06·CVSS 10.0
[CRITICAL] Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability
Research
October 6, 2025
## Related posts
March 12
March 12
March 11
## Get started with Microsoft Security
Protect your people, data, and infrastructure with AI-powered, end-to-end security from Microsoft.
Connect with us on social
Careers
About Microsoft
Company news
Privacy at Microsoft
Investors
Diversity and inclusion
Accessibility
Sustainability
Bleepingcomputer
Maximum severity GoAnywhere MFT flaw exploited as zero day
blogs_bleepingcomputer·2025-09-26·CVSS 10.0
CVE-2025-10035 [CRITICAL] Maximum severity GoAnywhere MFT flaw exploited as zero day
## Maximum severity GoAnywhere MFT flaw exploited as zero day
## Bill Toulas
Hackers are actively exploiting a maximum severity vulnerability (CVE-2025-10035) in Fortra's GoAnywhere MFT that allows injecting commands remotely without authentication.
The vendor disclosed the flaw on September 18 , buit the company had learned about it a week earlier, and did not share any details on how it was discovered or if it was being exploited.
CVE-2025-10035 is a deserialization vulnerability in the License Servlet of the GoAnywhere managed file transfer software that can be leveraged to inject commands by "an actor with a validly forged license response signature."
Although Fortra's advisory hasn't been updated to include any information about the vulnerabililty being used in attacks, security
Checkpoint
22nd September – Threat Intelligence Report
blogs_checkpoint·2025-09-22
CVE-2025-10035 22nd September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Several major European airports including Heathrow, Berlin, Brussels, Dublin, and Cork have experienced a cyber-attack, resulting in disruptions to electronic check-in and baggage drop systems using Collins Aerospace’s MUSE software. The incident led to flights delays, cancellations, and diversions, with affected airp
Bleepingcomputer
Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet
blogs_bleepingcomputer·2025-09-19·CVSS 10.0
CVE-2025-10035 [CRITICAL] Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet
## Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet
## Sergiu Gatlan
Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT's License Servlet that can be exploited in command injection attacks.
GoAnywhere MFT is a web-based managed file transfer tool that helps organizations securely transfer files and maintain audit logs of who accesses the shared files.
Tracked as CVE-2025-10035, this security flaw is caused by a deserialization of untrusted data weakness and can be exploited remotely in low-complexity attacks that don't require user interaction.
"A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary a
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
# September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorization
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
## September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorizatio
Threat Intel
Storm-1175
threat_intel·CVSS 10.0
CVE-2025-10035 [CRITICAL] Storm-1175
# Threat Actor: Storm-1175
## Description
Storm-1175 is a cybercriminal group known for deploying Medusa ransomware and exploiting public-facing applications for initial access. They have been observed exploiting a critical deserialization vulnerability in GoAnywhere MFT, tracked as CVE-2025-10035, which could lead to command injection and potential RCE. Microsoft Defender researchers identified exploitation activity aligned with TTPs attributed to Storm-1175, including the use of post-compromise techniques that involve creating a group named “ESX Admins” in the domain.
2025-09-18
Published
2025-09-29
Added to CISA KEV
Exploited in the wild