"Tracked as CVE-2025-10035 (CVSS score of 10), the critical bug is described as a deserialization of untrusted data issue affecting the application's license servlet. According to Fortra's advisory, the bug could be exploited by "an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection". Successful exploitation of the flaw, Rapid7 warns, could allow unauthenticated attackers to achieve remote code execution (RCE) on vulnerable GoAnywhere MFT instances."
"Fortra included patches for the security defect in GoAnywhere MFT version 7.8.4 and GoAnywhere MFT Sustain version 7.6.3 and urged customers to ensure that the GoAnywhere Admin Console is not accessible to the public. "Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet," the company notes. Fortra also advises customers to monitor Admin Audit logs for suspicious activity and to look in log files for errors containing the SignedObject.getObject: string in exception stack traces, which indicates impact from the vulnerability."
A critical deserialization vulnerability (CVE-2025-10035, CVSS 10) exists in GoAnywhere MFT's license servlet and can enable command injection. An attacker with a validly forged license response signature can deserialize an arbitrary, actor-controlled object, potentially resulting in remote code execution. Fortra released patches in GoAnywhere MFT 7.8.4 and GoAnywhere MFT Sustain 7.6.3. Fortra warns that exploitation depends on internet exposure of the Admin Console and advises removing public access, monitoring Admin Audit logs, and checking exception traces for SignedObject.getObject errors. No confirmed in-the-wild exploitation or public exploit code has been reported.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]