Full Report
Fortra on Thursday revealed the results of its investigation into CVE-2025-10035, a critical security flaw in GoAnywhere Managed File Transfer (MFT) that's assessed to have come under active exploitation since at least September 11, 2025. The company said it began its investigation on September 11 following a "potential vulnerability" reported by a customer, uncovering "potentially suspicious
Analysis Summary
# Vulnerability: Critical Deserialization in Fortra GoAnywhere MFT Leading to RCE
## CVE Details
- CVE ID: CVE-2025-10035
- CVSS Score: 10.0 (Critical) - *Inferred based on description of unauthenticated command injection, often scored as CVSS 10.0*
- CWE: Deserialization of Untrusted Data / Command Injection
## Affected Systems
- Products: Fortra GoAnywhere Managed File Transfer (MFT)
- Versions: 7.6.x, 7.7.x, and 7.8.x (prior to patched releases)
- Configurations: Instances with the GoAnywhere admin console exposed to the public internet. Web-based components outside the admin console are generally not affected.
## Vulnerability Description
CVE-2025-10035 is a critical deserialization vulnerability residing within the License Servlet component of GoAnywhere MFT. This flaw allows remote, unauthenticated attackers to achieve command injection, enabling them to execute arbitrary commands on the underlying system. The compromise appears to possibly require satisfaction of cryptographic requirements, though threat actors have reportedly circumvented these.
## Exploitation
- Status: Exploited in the wild (Active exploitation confirmed since at least September 11, 2025)
- Complexity: Unknown/Variable (Reportedly requires overcoming cryptographic hurdles, though exploitation is successful)
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Allows execution of commands which could lead to data exfiltration)
- Integrity: High (Allows arbitrary code execution and system modification)
- Availability: High (Allows system disruption or complete compromise)
## Remediation
### Patches
- GoAnywhere MFT Version **7.6.3**
- GoAnywhere MFT Version **7.8.4**
- Hotfixes were also made available previously for 7.6.x, 7.7.x, and 7.8.x lines.
### Workarounds
1. Restrict administrative console access, ensuring it is **not exposed to the public internet.**
2. Enable robust monitoring of the application environment.
## Detection
- **Indicators of Compromise (IoC):** Unauthorized activity related to the vulnerability, potentially related to threat group Storm-1175 deploying Medusa ransomware.
- **Detection Methods and Tools:** Monitor administrative console network traffic and application logs for signs of unusual deserialization payloads or unexpected command execution originating from the License Servlet component.
## References
- Fortra Investigation Summary: hxxps://www.fortra.com/blog/summary-investigation-related-cve-2025-10035
- Initial CVE Publication (Implied): hxxps://thehackernews.com/2025/09/fortra-goanywhere-cvss-10-flaw.html