Critical Vulnerability in Fortra’s GoAnywhere MFT Enables Remote Command Injection
A critical deserialization vulnerability, tracked as CVE-2025-10035, has been discovered in Fortra’s GoAnywhere MFT license service, perhaps allowing attackers to execute arbitrary code on affected systems. the flaw, disclosed September 11, 2025, centers around a weakness in the handling of license response signatures, enabling a malicious actor with a forged signature to deserialize attacker-controlled objects.
GoAnywhere MFT is a secure file transfer solution used by organizations to protect and manage sensitive data, offering connectivity to cloud and web applications. The vulnerability carries a CVSS 3.1 score of 10.0, signifying its maximum severity. Fortra has released security advisory FI-2025-012 detailing the issue and providing remediation steps.
The vulnerability’s exploitation is heavily reliant on external accessibility of the GoAnywhere Admin Console. Fortra recommends instantly restricting public access to the console as a temporary mitigation.
Permanent fixes require upgrading to patched versions: 7.8.4 or the Sustain release 7.6.3. Further facts is available from Fortra directly and reporting from BleepingComputer.
