Full Report
The vendor didn’t provide evidence of active exploitation, yet experts said it’s only a matter of time before that changes. The post Researchers raise alarm over maximum-severity defect in GoAnywhere file-transfer service appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Critical Deserialization Flaw in GoAnywhere MFT Leading to Potential Command Injection
## CVE Details
- CVE ID: CVE-2025-10035
- CVSS Score: 10.0 (Critical)
- CWE: Deserialization of Untrusted Data (Inferred from description)
## Affected Systems
- Products: GoAnywhere MFT (Managed File Transfer Service)
- Versions: Not explicitly listed, but applies to configurations where the admin console is exposed to the internet.
- Configurations: Customers must have the GoAnywhere admin console accessible over the internet.
## Vulnerability Description
The vulnerability is a deserialization flaw that allows an unauthenticated attacker, provided they possess a "validly forged license response signature," to deserialize an arbitrary actor-controlled object. Successfully exploiting this flaw could lead to command injection on the affected system. This defect is noted to be virtually identical to CVE-2023-0669.
## Exploitation
- Status: No evidence of active, public exploitation in the wild reported, but experts anticipate this will change quickly.
- Complexity: Not explicitly rated, but deserialization flaws are generally considered reliable if the necessary signature condition can be met.
- Attack Vector: Network (Implied, as the admin console is internet-facing).
## Impact
- Confidentiality: High (Potential access to sensitive data handled by the file transfer service).
- Integrity: High (Potential for arbitrary command execution).
- Availability: High (Potential for system compromise/disruption).
## Remediation
### Patches
- Fortra has developed and released a patch for CVE-2025-10035 (Disclosure date: September 19, 2025). Customers are advised to apply this immediately.
### Workarounds
- Mitigation guidance was offered by Fortra alongside the patch release, focused on minimizing the exposure of the admin console. The primary mitigation is to restrict internet access to the admin console.
## Detection
- Indicators of Compromise: Not detailed in the source material, but typical IoCs for command injection following deserialization should be monitored (e.g., unusual outbound network connections, execution of unexpected shell commands).
- Detection methods and tools: Monitoring logs for unauthorized license response signature processing. Security teams should prioritize checking for compromises that may have occurred if systems were vulnerable prior to patching, similar to past file-transfer service exploits.
## References
- Vendor Advisory: Fortra Security Advisory FI-2025-012
- Related CVE: CVE-2023-0669
- Relevant Links:
- hxxps://www.cve.org/CVERecord?id=CVE-2025-10035
- hxxps://www.vulncheck.com/blog/cve-2025-10035-fortra-go-anywhere-mft