CVE-2025-10035

CriticalCISA KEVActive ExploitationRansomware-linkedRCE

Published: 18 September 2025

Published

18 September 2025

Modified

24 October 2025

KEV Added

29 September 2025

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.5520 98.1th percentile

Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10035 is a critical-severity Command Injection (CWE-77) vulnerability in Fortra Goanywhere Managed File Transfer. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, prioritization, and remediation of flaws such as the deserialization vulnerability in GoAnywhere MFT's License Servlet via patching.

SI-10 Information Input Validation good match

prevent

Mandates validation of information inputs like license responses to ensure they are consistent with expected formats, preventing deserialization of arbitrary malicious objects.

SI-4 System Monitoring partial match

detect

Provides continuous monitoring of the system to identify attacks targeting the License Servlet, such as anomalous requests or command injection during active exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Remote unauthenticated deserialization in public-facing License Servlet directly enables T1190 exploitation leading to command injection (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

Deeper analysisAI

CVE-2025-10035, published on 2025-09-18, is a deserialization vulnerability (CWE-502) in the License Servlet of Fortra's GoAnywhere MFT. The flaw allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, potentially leading to command injection (CWE-77). It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and scope change with high impacts across confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability remotely by submitting a specially crafted license response with a validly forged signature to the License Servlet. Successful deserialization of a malicious object enables command injection on the affected GoAnywhere MFT server, potentially granting full system compromise including data exfiltration, modification, or disruption.

Fortra's security advisory (https://www.fortra.com/security/advisories/product-security/fi-2025-012) provides details on patches and mitigations. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10035), indicating active real-world exploitation and recommending immediate remediation.

Its inclusion in CISA's KEV catalog highlights ongoing exploitation in the wild, underscoring the urgency for GoAnywhere MFT users to patch affected versions.

Details

CWE(s): CWE-77 CWE-502
KEV Date Added: 29 September 2025

Affected Products

fortra

goanywhere managed file transfer

≤ 7.6.3 · 7.7.0 — 7.8.4

CVEs Like This One

CVE-2025-14362Same product: Fortra Goanywhere Managed File Transfer

CVE-2025-54309Same product class: managed file transferboth on KEV

CVE-2025-23006Shared CWE-502both on KEV

CVE-2025-14031Same product class: managed file transfer

CVE-2026-1264Same product class: managed file transfer

CVE-2026-4670Same product class: managed file transfer

CVE-2025-53770Shared CWE-502both on KEV

CVE-2026-22719Shared CWE-77both on KEV

CVE-2025-40551Shared CWE-502both on KEV

CVE-2026-20963Shared CWE-502both on KEV

References

https://www.fortra.com/security/advisories/product-security/fi-2025-012
Vendor Advisory · df4dee71-de3a-4139-9588-11b62fe6c0ff
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10035
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0