Overview
Fortra GoAnywhere MFT contains an insecure deserialization vulnerability in the License Servlet that allows authenticated attackers or those with knowledge of the license signature algorithm to perform command injection by crafting a valid forged license response signature. The vulnerability exists in the license validation process where attacker-controlled serialized objects are deserialized without proper validation. The vulnerability was disclosed on September 18, 2025. CISA has identified CVE-2025-10035 as being exploited and is known to be used in ransomware campaigns.
Technical details
The License Servlet in Fortra GoAnywhere MFT improperly deserializes untrusted data from license responses without sufficient validation. An attacker who can forge a valid license signature can inject malicious serialized objects that execute arbitrary commands when deserialized. The vulnerability requires the attacker to possess knowledge of or bypass the license signature verification mechanism.
The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) andCWE-94 (Improper Control of Generation of Code ('Code Injection')) .
The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its high nature.
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the GoAnywhere MFT server with the privileges of the application user. This could lead to complete system compromise, data theft, lateral movement within the network, installation of malware or backdoors, and disruption of managed file transfer operations. The attack requires forging a valid license signature, which increases attack complexity but is technically feasible with knowledge of the signature algorithm.
Mitigation and workarounds
Fortra recommends upgrading to the latest patched versions: 7.4.3, 7.3.9, or 7.2.12 depending on your current version. Download patches from the Fortra support portal and follow the standard upgrade procedures. Backup your configuration before applying patches. The following versions include the necessary fixes: GoAnywhere MFT 7.4.3, GoAnywhere MFT 7.3.9, GoAnywhere MFT 7.2.12.
As temporary workarounds: restrict network access to the goanywhere mft license servlet endpoints (typically port 8080 or custom http ports) using firewall rules or network segmentation. limit access only to trusted license servers.; implement web application firewall (waf) rules to block suspicious license responses with serialized java objects or binary data patterns typically associated with gadget chain exploitation., and monitor license servlet logs and access patterns for suspicious license update requests containing binary data..
CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
