CVE-2025-10035
Deserialization Vulnerability in GoAnywhere MFT's License Servlet
In short
GoAnywhere MFT contains a flaw that allows someone with a forged license to inject and run malicious commands on the server. This happens because the software unsafely processes untrusted data without proper validation.
Technical detail
The License Servlet in GoAnywhere MFT deserializes untrusted objects (CWE-502) without adequate validation, enabling command injection (CWE-77) when an attacker crafts a malicious license response with a valid forged signature. Pre-condition requires ability to generate a valid signature; impact includes arbitrary code execution with application privileges.
Summary generated and translated by AI from the official description.
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
Fortra · GoAnywhere MFTpublic PoCs found — 3
githubgithub.com/rxerium/CVE-2025-10035★ 19githubgithub.com/ThemeHackers/CVE-2025-10035★ 1githubgithub.com/orange0Mint/CVE-2025-10035_GoAnywhere★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →