Fortra has fixed a critical vulnerability in its GoAnywhere Managed File Transfer (MFT) software, which could have allowed an attacker to execute arbitrary commands. The flaw is identified as CVE-2025-10035 and has a CVSS score of 10.0, the highest possible severity.
What the Vulnerability Does
The flaw is a deserialization vulnerability in the software's License Servlet. According to Fortra, an attacker could exploit this by using a fake license signature to trick the system into running malicious code. This could lead to a complete compromise of the affected system.
Fortra is urging customers to update to a patched version immediately. The recommended versions are the latest release 7.8.4 or the Sustain Release 7.6.3.
As an additional mitigation, the company recommends restricting public access to the GoAnywhere Admin Console, as the vulnerability can only be exploited if the console is exposed to the internet. It is not yet known if this vulnerability has been exploited in the wild.
Previous Vulnerability
This is not the first critical flaw found in GoAnywhere. In January 2024, Fortra warned customers about an authentication bypass vulnerability, CVE-2024-0204. This flaw allowed an unauthenticated user to create new administrative accounts through the web portal. The vulnerability was privately disclosed to Fortra in December 2023, and a public advisory was issued shortly after.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
