⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.. Due date: 2025-10-20.
CVE-2025-10035 — Command Injection in Goanywhere Managed File Transfer
Severity
9.8CRITICALNVD
VulnCheck10.0VulnCheck7.2
EPSS
54.6%
top 1.96%
CISA KEV
KEVRansomware
Added 2025-09-29
Due 2025-10-20
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedSep 18
KEV addedSep 29
KEV dueOct 20
Latest updateApr 7
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
🔴Vulnerability Details
3GHSA▶
GHSA-fcfw-g3g2-2588: A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to↗2025-09-19
💥Exploits & PoCs
1Nuclei▶
GoAnywhere - Authentication Bypass
🔍Detection Rules
3Suricata▶
ET HUNTING Fortra GoAnywhere MFT Insecure Deserialization via License Servlet (CVE-2025-10035)↗2025-09-25
Suricata▶
ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Authentication Bypass via License Servlet (CVE-2025-10035)↗2025-09-25
Suricata▶
ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Response Valid License Request Token Disclosure↗2025-09-25
📋Vendor Advisories
1🕵️Threat Intelligence
13Hackernews
▶