CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-10035

CVSS 10.0v3.1pub. 2025-09-18upd. 2025-10-24

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

🤖 AI Analysis
How it works

The attacker forges the license response signature in such a way that it passes server-side verification. The crafted response contains a maliciously constructed serialized object that the License Servlet deserializes without proper content validation (CWE-502). The deserialization operation leads to command injection (CWE-77), enabling execution of arbitrary system commands in the context of the application server. The vulnerability requires no authentication or user interaction, and its scope of impact extends beyond the application itself (Scope: Changed).

Impact

An attacker can gain full control over the server — execute arbitrary operating system commands, access stored files and data (including those transferred via MFT), and compromise the integrity and availability of the system.

Mitigation & patch

Security patches available from the vendor must be applied immediately in accordance with the official Fortra advisory (fi-2025-012). Due to confirmed active exploitation by CISA KEV, the update should be treated as a priority. Until the patch is deployed, consider restricting network access to the License Servlet and monitoring anomalous requests directed to this component.

Who is affected

Fortra GoAnywhere Managed File Transfer — versions indicated in vendor references (advisory fi-2025-012 on fortra.com).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Fortra Goanywhere Managed File Transfer

    APP
    Fortra
    < 7.6.37.7.0 – 7.8.4 (bez)

CISA KEV — detailsi

Vendori
Fortra
Producti
GoAnywhere MFT
Added to KEVi
September 29, 2025
Remediation deadline (US Federal)i
October 20, 2025(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 20 października 2025
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2024-0204CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelniania w Fortra GoAnywhere MFT — tworzenie konta admina

CVE-2023-0669HIGH7.2⚠ KEVten sam produkt

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerabilit...

CVE-2025-14362HIGH7.3ten sam produkt

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User...

CVE-2025-1241MEDIUM5.8ten sam produkt

Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2...

CVE-2026-0971MEDIUM4.3ten sam produkt

An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configure...