Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure

Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure

Briefly

"According to an analysis released by watchTowr earlier this week, the vulnerability has to do with the fact that it's possible to send a crafted HTTP GET request to the "/goanywhere/license/Unlicensed.xhtml/" endpoint to directly interact with the License Servlet ("com.linoma.ga.ui.admin.servlet.LicenseResponseServlet") that's exposed at "/goanywhere/lic/accept/<GUID>" using the GUID embedded in the response to the earlier sent request. Armed with this authentication bypass, an attacker can take advantage of inadequate deserialization protections in the License Servlet to result in command injection."

"The vulnerability in question is CVE-2025-10035, which has been described as a deserialization vulnerability in the License Servlet that could result in command injection without authentication. Fortra GoAnywhere version 7.8.4, or the Sustain Release 7.6.3, was released by Fortra last week to remediate the problem. Cybersecurity vendor Rapid7, which also released its findings into CVE-2025-10035, said it's not a single deserialization vulnerability, but rather a chain of three separate issues - An access control bypass that has been known since 2023"