Cyber Resilience

CVE-2025-10035

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linkedRCE

Published: 18 September 2025

Published
18 September 2025
Modified
24 October 2025
KEV Added
29 September 2025
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9961 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2025-10035 is a critical-severity Command Injection (CWE-77) vulnerability in Fortra Goanywhere Managed File Transfer. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A deserialization vulnerability tracked as CVE-2025-10035 affects the License Servlet component of Fortra's GoAnywhere MFT. The flaw, also referenced under CWE-502 and CWE-77, permits an actor who supplies a validly forged license response signature to deserialize an arbitrary attacker-controlled object, which can result in command injection. The issue carries a CVSS 3.1 score of 10.0 reflecting network attack vector, low complexity, no required privileges or user interaction, and complete impact to confidentiality, integrity, and availability in a changed scope.

An unauthenticated remote attacker able to craft a properly signed license response can trigger the deserialization path over the network and execute arbitrary commands on the affected server. Successful exploitation therefore grants full control of the GoAnywhere MFT instance and any data or systems it manages.

Fortra published advisory FI-2025-012 to address the issue, and the vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, confirming that mitigation guidance and patches are available from the vendor.

The associated EPSS score currently stands at 0.6224 with a recorded peak of 0.6602, and real-world exploitation has already been observed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

CWE(s)
KEV Date Added
29 September 2025

Related Threats

Threat-Actor AttributionAI

Cl0p
CISA KEV lists this GoAnywhere MFT deserialization flaw as ransomware-used; public reporting attributes GoAnywhere zero-day exploitation to Cl0p.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote unauthenticated deserialization in public-facing License Servlet directly enables T1190 exploitation leading to command injection (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-0669Same product: Fortra Goanywhere Managed File Transferboth on KEV
CVE-2025-14362Same product: Fortra Goanywhere Managed File Transfer
CVE-2025-54309Same product class: managed file transferboth on KEV
CVE-2014-0160Same product class: managed file transferboth on KEV
CVE-2025-23006Shared CWE-502both on KEV
CVE-2023-34362Same product class: managed file transferboth on KEV
CVE-2025-14031Same product class: managed file transfer
CVE-2026-45247Shared CWE-502both on KEV
CVE-2026-4670Same product class: managed file transfer
CVE-2026-24782Same product class: managed file transfer

Affected Assets

fortra
goanywhere managed file transfer
≤ 7.6.3 · 7.7.0 — 7.8.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, prioritization, and remediation of flaws such as the deserialization vulnerability in GoAnywhere MFT's License Servlet via patching.

prevent

Mandates validation of information inputs like license responses to ensure they are consistent with expected formats, preventing deserialization of arbitrary malicious objects.

detect

Provides continuous monitoring of the system to identify attacks targeting the License Servlet, such as anomalous requests or command injection during active exploitation.

References