Fortra, the company behind the widely used GoAnywhere Managed File Transfer (MFT) software, has released a critical security patch to address a serious flaw that could allow attackers to execute arbitrary commands on vulnerable systems. The vulnerability, tracked as CVE-2025-10035, has been assigned the highest possible CVSS severity score of 10.0, underlining the urgent need for organizations to take action.
The flaw lies in the License Servlet of GoAnywhere MFT. According to Fortra’s advisory, the bug is a deserialization vulnerability. This means that an attacker can use a forged license response signature to deserialize a malicious, actor-controlled object. If successful, this process can lead to command injection, giving hackers the ability to run harmful commands on the targeted system.
For this attack to succeed, however, the vulnerable system must be publicly accessible over the internet. Even with that limitation, experts warn that many GoAnywhere MFT deployments are internet-facing by design, making them attractive targets.
To protect customers, Fortra has issued security updates in two supported versions:
-
GoAnywhere MFT 7.8.4
-
Sustain Release 7.6.3
All users are strongly advised to upgrade immediately to one of these patched versions.
For organizations unable to patch right away, Fortra recommends ensuring that the GoAnywhere Admin Console is not publicly accessible. Restricting external access reduces the risk of attackers exploiting the flaw until a permanent patch can be applied.
So far, Fortra has not confirmed any active exploitation of CVE-2025-10035 in the wild. However, security researchers are warning organizations not to be complacent.
This is not the first time GoAnywhere MFT has faced high-profile vulnerabilities:
-
CVE-2023-0669 (CVSS 7.2): This flaw was actively exploited as a zero-day vulnerability by ransomware groups, leading to the theft of sensitive corporate data.
-
CVE-2024-0204 (CVSS 9.8): Another critical bug that allowed attackers to create new administrator accounts on targeted systems.
Given this track record, many experts believe it is only a matter of time before attackers attempt to exploit the newly disclosed CVE-2025-10035.
Ryan Dewhurst, head of proactive threat intelligence at watchTowr, highlighted the seriousness of the situation. He noted that the flaw impacts the same license code path in the Admin Console as CVE-2023-0669, which was heavily exploited by ransomware groups like LockBit in 2023.
“With thousands of GoAnywhere MFT instances exposed to the internet, this issue is almost certain to be weaponized soon,” Dewhurst said. “While Fortra notes exploitation requires external exposure, these systems are generally internet-facing by design. Organizations should assume they are vulnerable and apply the official patches immediately.”
GoAnywhere MFT is used by enterprises worldwide to securely transfer files, automate workflows, and ensure compliance with data regulations. Because the software often handles sensitive data such as financial records, personal information, and intellectual property, it has become a prime target for ransomware operators and advanced persistent threat (APT) groups.
If left unpatched, the new CVE-2025-10035 flaw could allow attackers to gain unauthorized control, steal valuable information, disrupt business operations, or use compromised systems as entry points into larger corporate networks.
To reduce the risk of exploitation, organizations using GoAnywhere MFT should take the following steps immediately:
Update to the latest patched version (7.8.4 or 7.6.3).
Restrict public access to the GoAnywhere Admin Console until patching is complete.
Monitor system logs for suspicious activity, especially failed login attempts and unusual command executions.
Apply network segmentation to limit exposure of critical systems to external threats.
Regularly review security advisories from Fortra and other vendors to stay informed about new vulnerabilities.
The disclosure of CVE-2025-10035 once again shows why enterprise file transfer software is an attractive target for cybercriminals. With a maximum CVSS score of 10.0, the flaw in GoAnywhere MFT is not just a theoretical risk—it is a ticking time bomb for unpatched systems.
Organizations that rely on GoAnywhere MFT should act immediately by applying the patch, restricting public access, and implementing layered defenses. History has shown that threat actors waste no time in exploiting these kinds of vulnerabilities, and delaying remediation could have severe financial and reputational consequences.
As ransomware groups continue to evolve, businesses must remain proactive in patch management and network defense to stay ahead of cyber threats.
Interesting Article : Google Patches Chrome Zero-Day CVE-2025-10585 Exploited in Active Attacks
Pingback: ChatGPT ShadowLeak Flaw: Gmail Data Theft Through Hidden Prompt Injection