358/68 Tuesday, September 23, 2025
Fortra, the developer of Managed File Transfer (MFT) solutions, has released a patch to address a critical vulnerability (CVSS Score 10.0) in its GoAnywhere MFT software, tracked as CVE-2025-10035. The flaw is a deserialization vulnerability within the License Servlet, which allows attackers to craft a malicious License Response Signature and deserialize attacker-controlled objects – potentially leading directly to command injection. Fortra strongly advises users to upgrade immediately to the patched versions, 7.8.4 or Sustain Release 7.6.3, and recommends restricting access to the GoAnywhere Admin Console from the public internet, as exploitation relies on external accessibility.
Although it remains unclear whether this vulnerability has been exploited in the wild, GoAnywhere MFT has previously been targeted through critical flaws. For instance, CVE-2024-0204 (CVSS 9.8), disclosed in January 2024, was an authentication bypass vulnerability that allowed attackers to create new administrator accounts through the Administration Portal. This flaw, discovered by researchers at Spark Engineering Consultants and later analyzed by Horizon3’s Attack Team, was successfully exploited using path traversal to access endpoints and initiate account creation.
This incident highlights how software designed for secure file transfer and data encryption such as GoAnywhere MFT – widely deployed across organizations worldwide – continues to be a prime target for threat actors. Prompt patching and restricting system accessibility remain critical measures organizations must take to reduce the risk of cyber compromise.
