Critical GoAnywhere MFT Platform Vulnerability Exposes Enterprises to Remote Exploitation

Posted on By CWS

A deserialization flaw within the License Servlet part of Fortra GoAnywhere Managed File Switch (MFT) platform.

Recognized as CVE-2025-10035, this vulnerability permits an unauthenticated attacker who can ship a solid license response signature to set off Java deserialization of attacker-supplied objects, doubtlessly leading to arbitrary command execution and full system compromise.

Deserialization Flaw (CVE-2025-10035)

GoAnywhere MFT’s License Servlet fails to deal with serialized information in license responses safely.  The servlet deserializes information with out validating object varieties, resulting in a basic CWE-502: Deserialization of Untrusted Knowledge state of affairs. 

When mixed with CWE-77: Command Injection, the problem permits distant code execution with Community Assault Vector (AV:N), Low Assault Complexity (AC:L), No Privileges Required (PR:N), No Consumer Interplay (UI:N), Excessive Scope Influence (S:C), and whole lack of Confidentiality (C:H), Integrity (I:H), and Availability (A:H), with a CVSS v3.1 rating of 10.0.

An attacker who can craft a malicious license response that passes signature verification can inject instructions through the deserialized object’s strategies.

A crafted serialized payload referencing java.lang.Runtime.exec() may seem as:

This code snippet illustrates how deserialized objects may be weaponized to execute arbitrary shell instructions on the server internet hosting the GoAnywhere Admin Console.

Threat FactorsDetailsAffected ProductsGoAnywhere MFTImpactRemote code execution (RCE)Exploit PrerequisitesForged license response signatureCVSS 3.1 Score10.0 (Essential)

Mitigations

Fortra said that profitable exploitation is contingent upon the GoAnywhere Admin Console being accessible over the Web. To mitigate quick threat, directors ought to:

Prohibit Admin Console entry by firewall guidelines or community ACLs so it’s not publicly reachable.

Confirm that solely trusted IP addresses could connect with the GoAnywhere administration interface.

Everlasting remediation requires upgrading GoAnywhere MFT to a patched launch. Affected clients should replace to model 7.8.4 or, if on the Maintain Launch department, model 7.6.3. 

The updates embody validation routines within the License Servlet to implement class whitelisting and signature checks, eliminating unsafe deserialization. Safety groups are urged to prioritize this replace instantly, given the exploit’s ease and devastating potential affect.

Discover this Story Fascinating! Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates.

Cyber Security News Tags:, , , , , , , ,

Related Posts

North Korean Hackers Weaponized 67 Malicious npm Packages to Deliver XORIndex Malware Cyber Security News
VMware NSX XSS Vulnerability Allows Attackers to Inject Malicious Code Cyber Security News
Ukrainian Networks Launch Massive Brute-Force and Password-Spraying Campaigns Targeting SSL VPN and RDP Systems Cyber Security News
Fortinet FortiSIEM Command Injection Vulnerability (CVE-2025-25256) Cyber Security News
Threat Actor Mimo Attacking Magento CMS to Steal Card Details and Bandwidth Monetization Cyber Security News
DragonForce Ransomware Claimed To Compromise Over 120 Victims in The Past Year Cyber Security News