Fortra Issues Critical Alert for GoAnywhere MFT Vulnerability
▼ Summary
– Fortra has patched a maximum severity vulnerability (CVE-2025-10035) in GoAnywhere MFT’s License Servlet, which enables remote command injection attacks without user interaction.
– The flaw stems from deserialization of untrusted data and primarily affects systems with the Admin Console exposed to the internet, as discovered during a security check on September 11, 2025.
– Patches are available in GoAnywhere MFT versions 7.8.4 and 7.6.3, and mitigation involves restricting internet access to the Admin Console if immediate patching isn’t possible.
– While not confirmed as actively exploited, threat actors target such file transfer tools for sensitive data, as seen in past attacks like the Clop ransomware exploitation of CVE-2023-0669.
– Shadowserver Foundation monitors over 470 exposed instances, and Fortra serves over 3,000 organizations, including Fortune 500 companies, with its GoAnywhere software.
Fortra has issued an urgent security alert concerning a critical vulnerability in its GoAnywhere MFT software, prompting the release of patches to address a maximum severity flaw that could lead to remote command injection. The issue, identified as CVE-2025-10035, stems from unsafe deserialization of untrusted data within the License Servlet component. This vulnerability can be exploited remotely without user interaction, making it a significant concern for organizations relying on the platform for secure file transfers.
GoAnywhere MFT serves as a web-based managed file transfer solution, enabling businesses to exchange files securely while maintaining detailed access logs. The newly discovered weakness allows an attacker with a forged license response signature to deserialize arbitrary objects, potentially resulting in command execution on the host system.
During a routine security review on September 11, 2025, Fortra determined that customers with internet-exposed Admin Consoles faced potential risk from unauthorized third-party access. The company acted swiftly, developing both a patch and mitigation strategies. Administrators are strongly advised to review their configurations without delay and ensure the Admin Console is not publicly accessible.
Patched versions, GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3, are now available. For organizations unable to upgrade immediately, Fortra emphasizes the importance of isolating the Admin Console from the internet to reduce exposure. The company notes that exploitation hinges largely on external internet accessibility, underscoring the role of network configuration in overall security posture.
According to the nonprofit Shadowserver Foundation, more than 470 GoAnywhere MFT instances are currently visible online. It remains uncertain how many of these have been updated or still present vulnerable configurations.
Although there is no confirmed active exploitation of CVE-2025-10035 at this time, administrators should treat patching as a high priority. Secure file transfer solutions like GoAnywhere MFT are attractive targets for cybercriminals due to the sensitive nature of the data they handle. This is not the first time the platform has been targeted; in early 2023, the Clop ransomware group exploited a previous zero-day vulnerability (CVE-2023-0669) to compromise more than 130 organizations.
Fortra, previously known as HelpSystems, supports over 9,000 organizations globally with its cybersecurity products, which include both GoAnywhere MFT and the widely used, and frequently abused, Cobalt Strike penetration testing tool. Notably, Cobalt Strike has also been subject to exploitation via flaws such as CVE-2022-39197 and CVE-2022-42948, which were added to CISA’s Known Exploited Vulnerabilities catalog in March 2023.
With more than 3,000 organizations, including many Fortune 500 companies, using GoAnywhere software, the urgency of applying these updates cannot be overstated. Proactive mitigation is essential to preventing potential breaches and safeguarding sensitive organizational data.
(Source: Bleeping Computer)
