You are currently viewing From License to Root: Critical Flaw in Fortra GoAnywhere MFT

From License to Root: Critical Flaw in Fortra GoAnywhere MFT

  • Post author:
  • Reading time:4 mins read

A critical vulnerability has been identified in Fortra’s GoAnywhere Managed File Transfer (MFT) platform, posing a significant risk to organizations that rely on this software for secure file exchange. The flaw, identified as CVE-2025-10035, has been assigned a CVSS score of 10.0, the highest possible severity rating, indicating the potential for widespread and severe impact.

Vulnerability Details

The vulnerability is a deserialization flaw found in the License Servlet component of GoAnywhere MFT. It stems from the application’s failure to properly handle serialized data within license responses. Specifically, the License Servlet deserializes data without adequately validating object types, creating a scenario where an attacker can introduce malicious, attacker-controlled objects into the system. This falls under CWE-502, which covers deserialization of untrusted data.

According to Fortra’s advisory, an unauthenticated attacker capable of delivering a forged license response signature can exploit this vulnerability. By crafting a malicious license response, an attacker can trigger the deserialization of arbitrary objects, potentially leading to command injection and complete system compromise.

Root Cause

The root cause of CVE-2025-10035 lies in the License Servlet’s unsafe handling of serialized data. The lack of proper validation during deserialization allows for the introduction of untrusted data, which can then be exploited to execute arbitrary commands.

Proof of Concept (PoC)

Attackers can weaponize deserialized objects to execute arbitrary shell commands on the server hosting the GoAnywhere Admin Console. This involves crafting a serialized payload referencing java.lang.Runtime.exec().

Example of a crafted serialized payload:
<java.lang.Runtime.exec payload>

Impact & Exploit Potential

The impact of this vulnerability is substantial. Successful exploitation allows an attacker to execute arbitrary commands, potentially leading to full system compromise. Given the critical nature of MFT solutions in enterprise environments, such a compromise could have devastating consequences, including data theft, service disruption, and further lateral movement within the network.

The vulnerability can be exploited if the GoAnywhere Admin Console is publicly accessible over the internet. This exposure significantly increases the risk, as noted by Ryan Dewhurst, head of proactive threat intelligence at watchTowr. He pointed out that the vulnerability impacts the same license code path in the Admin Console as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups, including LockBit.

Considering that many GoAnywhere MFT instances are internet-facing by design, organizations should assume they are vulnerable and take immediate action.

Tactics, Techniques, and Procedures (TTPs)

This vulnerability aligns with the following Tactics, Techniques, and Procedures (TTPs) as defined by the MITRE ATT&CK framework:

TA0002 – Execution: This vulnerability allows attackers to execute arbitrary commands on the system.

T1203 – Exploitation for Client Execution: By exploiting this vulnerability, attackers can execute malicious code on the GoAnywhere MFT server.

Affected Products

The vulnerability affects the following product:

  • GoAnywhere MFT before 7.8.4

Mitigation & Recommendations

Fortra has released patched versions to address this critical vulnerability. Users are advised to upgrade to version 7.8.4 or, if using the Sustain Release branch, version 7.6.3.

In addition to patching, Fortra recommends the following immediate steps to mitigate the risk:

  • Restrict Admin Console access using firewall rules or network ACLs to ensure it is not publicly reachable.
  • Verify that only trusted IP addresses are allowed to connect to the GoAnywhere management interface.

These measures can help prevent unauthorized access and exploitation while the necessary updates are being applied.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems, including Windows, Linux, and macOS, as well as over 550 third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.