Full Report
Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT's License Servlet that can be exploited in command injection attacks. [...]
Analysis Summary
# Vulnerability: Maximum Severity Command Injection in GoAnywhere MFT License Servlet
## CVE Details
- CVE ID: CVE-2025-10035
- CVSS Score: 10.0 (Critical/Maximum) - *Inferred from "maximum severity" and context*
- CWE: CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- Products: Fortra GoAnywhere MFT (Managed File Transfer tool)
- Versions: All versions prior to 7.8.4 and Sustain Release 7.6.3.
- Configurations: Systems where the GoAnywhere Admin Console is accessible over the internet.
## Vulnerability Description
This critical vulnerability resides in the License Servlet of GoAnywhere MFT. It is caused by a deserialization of untrusted data weakness (CWE-502). An attacker capable of forging a valid license response signature can deserialize an arbitrary, actor-controlled object. Successful exploitation can lead to command injection, allowing the attacker to execute arbitrary commands on the underlying system.
## Exploitation
- Status: Not explicitly confirmed as exploited in the wild, but PoC information is implied by advisory status.
- Complexity: Low. Exploitation does not require user interaction.
- Attack Vector: Network (Remote, requires external internet exposure of the Admin Console).
## Impact
- Confidentiality: High (Ability to execute remote commands suggests high risk of data exfiltration).
- Integrity: High (Remote command execution allows for system modification).
- Availability: High (Remote code execution can lead to system downtime or compromise).
## Remediation
### Patches
- Upgrade to GoAnywhere MFT version **7.8.4** or higher.
- Upgrade to GoAnywhere MFT Sustain Release version **7.6.3** or higher.
### Workarounds
- Immediately review configurations and **remove any public internet access** to the GoAnywhere Admin Console until patching can be completed.
## Detection
- **Indicators of Compromise (IoCs):** Look for unexpected process execution originating from the GoAnywhere MFT service account, especially related to network activity or system configuration changes.
- **Detection Methods and Tools:** Monitoring ingress traffic aimed at the GoAnywhere Admin Console for anomalous license response headers or serialized data patterns. Network segmentation practices should be enforced to limit external access.
## References
- Vendor Advisory: hxxps://www.fortra.com/security/advisories/product-security/fi-2025-012
- General Product Monitoring: hxxps://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=fortra&type=file-transfer&model=goanywhere+mft&dataset=count&limit=1000&group_by=geo&stacking=stacked&auto_update=on