Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure
Briefly

Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure
"According to an analysis released by watchTowr earlier this week, the vulnerability has to do with the fact that it's possible to send a crafted HTTP GET request to the "/goanywhere/license/Unlicensed.xhtml/" endpoint to directly interact with the License Servlet ("com.linoma.ga.ui.admin.servlet.LicenseResponseServlet") that's exposed at "/goanywhere/lic/accept/<GUID>" using the GUID embedded in the response to the earlier sent request. Armed with this authentication bypass, an attacker can take advantage of inadequate deserialization protections in the License Servlet to result in command injection."
"The vulnerability in question is CVE-2025-10035, which has been described as a deserialization vulnerability in the License Servlet that could result in command injection without authentication. Fortra GoAnywhere version 7.8.4, or the Sustain Release 7.6.3, was released by Fortra last week to remediate the problem. Cybersecurity vendor Rapid7, which also released its findings into CVE-2025-10035, said it's not a single deserialization vulnerability, but rather a chain of three separate issues - An access control bypass that has been known since 2023"
CVE-2025-10035 is a deserialization vulnerability in the Fortra GoAnywhere License Servlet that can enable unauthenticated command injection. watchTowr Labs reports credible evidence of active exploitation since at least September 10, 2025. The exploit sequence involves sending a crafted HTTP GET to /goanywhere/license/Unlicensed.xhtml/ to receive a GUID and then interacting with the License Servlet at /goanywhere/lic/accept/<GUID>, bypassing authentication. Inadequate deserialization protections in the License Servlet allow command injection once access is achieved. Rapid7 describes the issue as a chain of three problems including a preexisting access-control bypass from 2023, the unsafe deserialization, and an additional unknown issue. Fortra released GoAnywhere 7.8.4 and Sustain Release 7.6.3 to remediate the vulnerability.
Read at The Hacker News
Unable to calculate read time
[
|
]