Aperçu
Fortra GoAnywhere MFT contains an insecure deserialization vulnerability in the License Servlet that allows authenticated attackers or those with knowledge of the license signature algorithm to perform command injection by crafting a valid forged license response signature. The vulnerability exists in the license validation process where attacker-controlled serialized objects are deserialized without proper validation. La vulnérabilité a été divulguée le September 18, 2025. CISA a identifié CVE-2025-10035 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The License Servlet in Fortra GoAnywhere MFT improperly deserializes untrusted data from license responses without sufficient validation. An attacker who can forge a valid license signature can inject malicious serialized objects that execute arbitrary commands when deserialized. The vulnerability requires the attacker to possess knowledge of or bypass the license signature verification mechanism.
La vulnérabilité est classifiée comme CWE-502 (Deserialization of Untrusted Data) etCWE-94 (Improper Control of Generation of Code ('Code Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 8.8 (HIGH) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature high.
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the GoAnywhere MFT server with the privileges of the application user. This could lead to complete system compromise, data theft, lateral movement within the network, installation of malware or backdoors, and disruption of managed file transfer operations. The attack requires forging a valid license signature, which increases attack complexity but is technically feasible with knowledge of the signature algorithm.
Mitigation et contournements
Fortra recommends upgrading to the latest patched versions: 7.4.3, 7.3.9, or 7.2.12 depending on your current version. Download patches from the Fortra support portal and follow the standard upgrade procedures. Backup your configuration before applying patches. Les versions suivantes incluent les correctifs nécessaires : GoAnywhere MFT 7.4.3, GoAnywhere MFT 7.3.9, GoAnywhere MFT 7.2.12.
Comme contournements temporaires : restrict network access to the goanywhere mft license servlet endpoints (typically port 8080 or custom http ports) using firewall rules or network segmentation. limit access only to trusted license servers.; implement web application firewall (waf) rules to block suspicious license responses with serialized java objects or binary data patterns typically associated with gadget chain exploitation., et monitor license servlet logs and access patterns for suspicious license update requests containing binary data..
Recommandation de CISA : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
