Fortra has released security updates to address a vulnerability (CVE-2025-10035) in its GoAnywhere MFT software that could allow attackers to remotely execute commands through the product’s License Servlet.
GoAnywhere MFT is a widely used managed file transfer (MFT) tool designed to help organizations securely exchange sensitive files and maintain detailed access logs.
The flaw stems from a deserialization of untrusted data issue, which can be exploited without user interaction in low-complexity attacks. If successfully exploited, attackers could execute arbitrary code on vulnerable systems.
“A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” the vendor explained.
Fortra said the vulnerability was discovered during a routine security check on September 11, though it has not disclosed whether it was reported by an external researcher or if it has been exploited in the wild.
To mitigate the issue, Fortra released GoAnywhere MFT versions 7.8.4 and 7.6.3 (Sustain Release) with patches addressing the flaw. For organizations unable to immediately upgrade, the company recommends removing public internet access to the GoAnywhere Admin Console to minimize exposure.
“Immediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet,” Fortra advised.
Although there is no signs of active exploitation so far, GoAnywhere MFT has been a high-value target for cybercriminals in the past. In 2023, the Clop ransomware gang leveraged a similar vulnerability (CVE-2023-0669) to hack into more than 130 organizations.