Full Report
A vulnerability has been discovered in GoAnywhere Managed File Transfer (MFT) which could allow for Command Injection. GoAnywhere Managed File Transfer (MFT) is an enterprise-level software solution for securely automating, managing, and tracking all organizational file transfers, whether server-to-server or person-to-person. Successful exploitation of this vulnerability could allow an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
Analysis Summary
# Vulnerability: GoAnywhere MFT Command Injection via License Deserialization
## CVE Details
- CVE ID: CVE-2025-10035
- CVSS Score: HIGH (Specific score not provided in text, but risk mapping indicates high impact for large/medium entities)
- CWE: Unspecified (Implied weakness related to Deserialization/Injection)
## Affected Systems
- Products: GoAnywhere Managed File Transfer (MFT)
- Versions: Versions prior to the latest release **7.8.4** or the Sustain Release **7.6.3**
- Configurations: Exploitation is highly dependent upon systems being externally exposed to the internet and accessible to perform the license response forgery.
## Vulnerability Description
A deserialization vulnerability exists within the License Servlet of Fortra's GoAnywhere MFT. An attacker who can provide a validly forged license response signature can leverage this to deserialize an arbitrary actor-controlled object. Successful exploitation can lead to Command Injection (MITRE Tactic: Initial Access, Technique: Exploit Public-Facing Application [T1190]).
## Exploitation
- Status: **Not exploited** in the wild (as of advisory date).
- Complexity: Assumed **Medium** (Requires forging a license response signature).
- Attack Vector: **Network** (Relies on exploiting a public-facing application/servlet).
## Impact
- Confidentiality: Likely High (Based on command injection resulting from exploitation).
- Integrity: Likely High (Based on command injection resulting from exploitation).
- Availability: Likely High (Based on command injection resulting from exploitation).
## Remediation
### Patches
- Apply appropriate updates provided by Fortra to bring systems to version **7.8.4** or later, or Sustain Release **7.6.3** or later.
### Workarounds
- Ensure that access to the GoAnywhere Admin Console is **not open to the public**.
## Detection
- **Indicators of Compromise (IoC):** Not explicitly detailed in the summary, but look for unusual activity related to license request/response handling or subsequent command execution traces on the server.
- **Detection Methods and Tools:** Utilize capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring (Exploit Protection). Enable anti-exploitation features (e.g., DEP, WDEG, SIP).
## References
- CVE: hxxps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10035
- Vendor Advisory (Fortra): hxxps://www.fortra.com/security/advisories/product-security/fi-2025-012