Fortra has issued patches for a critical vulnerability in its GoAnywhere Managed File Transfer (MFT) software that could be exploited for command injection.
The flaw, tracked as CVE-2025-10035, received a CVSS score of 10.0, the highest possible severity. It is a deserialization of untrusted data issue that affects the application's license servlet.
According to Fortra, a hacker with a specially crafted license signature could exploit the bug to execute malicious commands. Rapid7 warns that this could allow an unauthenticated attacker to achieve remote code execution on vulnerable GoAnywhere MFT instances.
How to Mitigate the Threat
Fortra has released patches in GoAnywhere MFT version 7.8.4 and GoAnywhere MFT Sustain version 7.6.3. The company is urging customers to update immediately and to ensure their GoAnywhere Admin Console is not accessible to the public, as exploitation depends on the system being exposed to the internet.
Fortra also advises customers to monitor their Admin Audit logs for any suspicious activity and to check log files for errors containing the "SignedObject.getObject:" string.
While there is no mention of the vulnerability being exploited in the wild, cybersecurity experts say it should be considered a serious threat due to the history of this product. In 2023, hackers from the Cl0p ransomware gang exploited a zero-day vulnerability in the same software to create unauthorized accounts and steal data from dozens of organizations.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
