cbcvebase.
CVE-2025-10035
published 2025-09-18

CVE-2025-10035: A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-10-20
Exploited in the wild
EPSS
99.61%
99.9th percentile
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

Affected

3 ranges
VendorProductVersion rangeFixed in
fortragoanywhere_managed_file_transfer< 7.6.37.6.3
fortragoanywhere_managed_file_transfer>= 7.7.0 < 7.8.47.8.4
fortragoanywhere_mft<= 7.8.3

Detection & IOCsextracted from sources · hover to see the quote

processmtsc.exe
  • Search GoAnywhere MFT log files for stack trace errors containing the string 'SignedObject.getObject' to identify exploitation attempts.
  • Hunt for creation of a backdoor admin account named 'admin-go' in GoAnywhere MFT, which was observed post-exploitation.
  • Monitor for RMM tools SimpleHelp and MeshAgent being launched on GoAnywhere MFT hosts as persistence indicators attributed to Storm-1175.
  • Detect Netscan execution on GoAnywhere MFT hosts as a network reconnaissance indicator post-exploitation.
  • Detect Rclone execution on GoAnywhere MFT hosts as a data exfiltration indicator post-exploitation.
  • Monitor Admin Audit logs in GoAnywhere MFT for suspicious activity as recommended by Fortra to detect compromise.
  • Exploitation involves achieving remote command execution via pre-auth deserialization in the License Servlet, followed by secondary payload upload and execution.
  • ·The vulnerability requires the attacker to possess a validly forged license response signature to trigger deserialization; this is a prerequisite for exploitation.
  • ·Patched versions are GoAnywhere MFT 7.8.4 (latest) and 7.6.3 (Sustain Release); systems not yet upgraded remain vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.