Emergency Security Bulletin: GoAnywhere MFT License Servlet Deserialization Vulnerability

featured image

By: RedLegg's Cyber Threat Intelligence Team

About:

CVE-2025-10035 is a critical deserialization vulnerability in GoAnywhere MFT’s License Servlet, allowing remote command injection when forged license responses are processed.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.


VULNERABILITIES

GoAnywhere MFT License Servlet Deserialization Vulnerability  

CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-10035 
Exploit or Proof of Concept (PoC): No 
Update: CVE-2025-10035 – Fortra Security Advisory FI-2025-012 

Description:  CVE-2025-10035 is a critical deserialization vulnerability in the License Servlet component of Fortra's GoAnywhere Managed File Transfer (MFT). The flaw allows an attacker who can supply a validly forged license response signature to deserialize an actor-controlled object. This may lead to remote command injection. Exploitation is possible over the network without user interaction or privileges. The vulnerability is especially dangerous for instances whose Admin Console is exposed to the public internet.

Mitigation Recommendation:   

Patching is currently the only method of mitigation. Update GoAnywhere MFT to version 7.8.4 or the Sustain Release 7.6.3. For systems not yet patched, restrict access to the Admin Console and place firewalls or VPNs around it. Monitor logs for unusual license-validation activity.