Unpatched Fortra GoAnywhere Flaw Risks Full System Takeover
▼ Summary
– CVE-2025-10035 is a critical deserialization vulnerability in Fortra’s GoAnywhere MFT solution that could allow remote command injection.
– The flaw has a maximum severity CVSS score because it is remotely exploitable without authentication and can lead to full system compromise.
– Exploitation requires the attacker to have access to the GoAnywhere administrative console of a vulnerable installation.
– Fortra advises customers to immediately upgrade to a patched version or ensure the Admin Console is not publicly accessible.
– Organizations should monitor logs for suspicious activity and implement egress filtering, as patching alone may not remove attackers from already compromised systems.
Organizations relying on Fortra’s GoAnywhere managed file transfer (MFT) platform must take immediate action to address a newly disclosed critical security vulnerability. Identified as CVE-2025-10035, this flaw presents a severe risk, potentially enabling attackers to achieve full system takeover if left unpatched. The vulnerability exists within the software’s License servlet and involves a dangerous deserialization issue.
This specific weakness could allow an individual with a forged license response signature to inject and execute arbitrary commands. While there is no current evidence of active exploitation, the vulnerability carries the highest possible severity rating. It is remotely exploitable over a network, requires no authentication or user interaction, and could lead to a complete compromise of the system. A significant mitigating factor, however, is that an attacker must first gain access to the GoAnywhere administrative console of a vulnerable installation to leverage this flaw.
The situation echoes a serious incident from early 2023 involving the same platform. At that time, the Cl0p ransomware gang successfully exploited a different zero-day vulnerability (CVE-2023-0669) in the same servlet. Their attack was facilitated because numerous GoAnywhere Admin Consoles were exposed directly to the public internet, leading to data exfiltration from over 130 organizations. That event served as a stark reminder that the admin console should never be publicly accessible and should be restricted to private company networks, accessed via VPN, or limited to trusted IP addresses only.
Fortra has released patches to resolve this critical issue. The company strongly advises all customers to upgrade immediately to a secure version, which includes GoAnywhere v7.8.4 or Sustain Release v7.6.3. As an alternative or complementary measure, organizations must verify that access to the administrative console is properly locked down and not exposed to the open internet.
In addition to applying the patch, proactive monitoring is essential. Administrators should scrutinize their Admin Audit logs for any unusual activity. They are also instructed to check log files for errors containing the specific string “SignedObject.getObject.” The presence of this text in an exception stack trace is a strong indicator that an attempt was made to exploit this vulnerability.
Security experts further recommend implementing egress filtering and setting up alerts for large file uploads, high-volume traffic directed to suspicious IP addresses or domains, and the unexpected usage of data transfer or archive utilities. It is crucial to understand that if this vulnerability was exploited as a zero-day before the patch was available, simply applying the update will not remove an attacker who has already gained a foothold within the network. A comprehensive investigation would be necessary to ensure the environment is fully secured.
(Source: HelpNet Security)
