Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Fortra has disclosed CVE-2025-10035, a deserialisation vulnerability that experts believe could lead to widespread exploitation of the popular file transfer platform, GoAnywhere MFT, again.
The developer of the managed file transfer application GoAnywhere MFT has disclosed a worrying new vulnerability that has security experts concerned over the possibility of widespread exploitation.
Fortra disclosed CVE-2025-10035 on 18 September, a deserialisation vulnerability in GoAnywhere MFT’s License Servlet that could lead to unauthenticated remote code execution.
The company describes the vulnerability as “a deserialisation vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialise an arbitrary actor-controlled object, possibly leading to command injection”.
The vulnerability was first discovered on 11 September, and a patch is already available to mitigate the issue. Fortra said its customers should “immediately ensure that access to the GoAnywhere Admin Console is not open to the public”.
“Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet,” Fortra said.
Fortra said it is unaware of any exploitation, but Stephen Fewer, a security engineer at Rapid7, said the issue represents a “significant threat”.
“Currently, there is no known public exploit code available for the new vulnerability, CVE-2025-10035, and the vendor has not reported CVE-2025-10035 as having been exploited in the wild,” Fewer said in a 20 September blog post.
“However, given the nature and history of this product, this new vulnerability should be treated as a significant threat.”
Caitlin Condon, vice president of research at VulnCheck, noted similarities between this new vulnerability and one previously exploited by cyber extortionists.
“The description and root cause of CVE-2025-10035 – a newly disclosed critical vulnerability in Fortra’s GoAnywhere MFT solution – is virtually identical to that of CVE-2023-0669, another critical issue that was widely exploited by ransomware groups in 2023, including Clop,” Condon told Cyber Daily.
“While it’s not clear currently if CVE-2025-10035 has been exploited in the wild, it’s safe to assume ransomware and other APT groups will be highly motivated to develop exploits targeting this new vulnerability. Fortra also delivered a patch within five days of discovery, if their timeline is accurate, which implies that the supplier is also aware of the urgency.
“Given GoAnywhere MFT’s history of threat actor targeting, we advise organisations to immediately prioritise updating to a patched version, namely 7.8.4 or 7.6.3, and ensuring the GoAnywhere MFT admin console is not exposed to the public internet.”
Ryan Dewhurst, head of proactive threat intelligence at watchTowr, expects exploitation of the vulnerability to only be a matter of time, however.
“With thousands of GoAnywhere MFT instances exposed to the internet, this issue is almost certain to be weaponised for in-the-wild exploitation soon,” Dewhurst said.
“While Fortra notes exploitation requires external exposure, these systems are generally internet-facing by design, so organisations should assume they are vulnerable. Organisations should apply the official patches immediately and take steps to restrict external access to the Admin Console.”
Cyber crime group Clop has made a career of exploiting vulnerabilities in file transfer platforms. In 2023, the group claimed more than 100 victims via the exploitation of CVE-2023-0669, while the group later took similar advantage of vulnerabilities in MOVEit, PaperCut, and SysAid in the following year.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
