4 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
GoAnywhere MFT License Servlet Deserialization Vulnerability
CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-10035
Exploit or Proof of Concept (PoC): No
Update: CVE-2025-10035 – Fortra Security Advisory FI-2025-012
Description: CVE-2025-10035 is a critical deserialization vulnerability in the License Servlet component of Fortra's GoAnywhere Managed File Transfer (MFT). The flaw allows an attacker who can supply a validly forged license response signature to deserialize an actor-controlled object. This may lead to remote command injection. Exploitation is possible over the network without user interaction or privileges. The vulnerability is especially dangerous for instances whose Admin Console is exposed to the public internet.
Mitigation Recommendation:
Patching is currently the only method of mitigation. Update GoAnywhere MFT to version 7.8.4 or the Sustain Release 7.6.3. For systems not yet patched, restrict access to the Admin Console and place firewalls or VPNs around it. Monitor logs for unusual license-validation activity.
