Patch Immediately: Fortra Warns of Command Injection Risk in GoAnywhere MFT

Published Date: September 22, 2025

Category: ShadowOpsIntel

A critical deserialization vulnerability (CVE-2025-10035) was discovered in Fortra’s GoAnywhere MFT License Servlet. The flaw allows an attacker with a validly forged license response signature to deserialize arbitrary actor-controlled objects, leading to potential command injection.

Severity: Critical

Vulnerability Details

CVE ID: CVE-2025-10035
CWE IDs:
- CWE-502: Deserialization of Untrusted Data
- CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection)
CVSS Score: 10
Affected Product: GoAnywhere MFT (all versions prior to patched releases)
Fixed Versions: 7.8.4 (latest release), 7.6.3 (sustain release)

Technical Details

The vulnerability resides in the License Servlet component.
Attackers can exploit it by forging a valid license response signature.
This allows injection of malicious serialized objects into the application.
Upon deserialization, the objects can trigger command execution in the context of the GoAnywhere MFT service.
The exploit does not require prior authentication if the Admin Console is exposed to the internet.

Indicators Of Exploitation

Admin Audit and application logs may contain errors such as:

SignedObject.getObject
ERROR Error parsing license response
java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException

Presence of these messages indicates the system may have been targeted.

Potential Impact

Remote Code Execution (RCE) on the underlying host.
Complete compromise of the GoAnywhere MFT server.
Lateral movement within the network if the compromised system has elevated privileges.
Data exfiltration of sensitive files managed by GoAnywhere MFT.