CVE-2025-10035
Published: 18 September 2025
Summary
CVE-2025-10035 is a critical-severity Command Injection (CWE-77) vulnerability in Fortra Goanywhere Managed File Transfer. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A deserialization vulnerability tracked as CVE-2025-10035 affects the License Servlet component of Fortra's GoAnywhere MFT. The flaw, also referenced under CWE-502 and CWE-77, permits an actor who supplies a validly forged license response signature to deserialize an arbitrary attacker-controlled object, which can result in command injection. The issue carries a CVSS 3.1 score of 10.0 reflecting network attack vector, low complexity, no required privileges or user interaction, and complete impact to confidentiality, integrity, and availability in a changed scope.
An unauthenticated remote attacker able to craft a properly signed license response can trigger the deserialization path over the network and execute arbitrary commands on the affected server. Successful exploitation therefore grants full control of the GoAnywhere MFT instance and any data or systems it manages.
Fortra published advisory FI-2025-012 to address the issue, and the vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, confirming that mitigation guidance and patches are available from the vendor.
The associated EPSS score currently stands at 0.6224 with a recorded peak of 0.6602, and real-world exploitation has already been observed.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-30225
Vulnerability details
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
- CWE(s)
- KEV Date Added
- 29 September 2025
Related Threats
Threat-Actor AttributionAI
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization in public-facing License Servlet directly enables T1190 exploitation leading to command injection (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, prioritization, and remediation of flaws such as the deserialization vulnerability in GoAnywhere MFT's License Servlet via patching.
Mandates validation of information inputs like license responses to ensure they are consistent with expected formats, preventing deserialization of arbitrary malicious objects.
Provides continuous monitoring of the system to identify attacks targeting the License Servlet, such as anomalous requests or command injection during active exploitation.