Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2025-10035 -- CVSS 10.0 Vulnerability Briefing

CVE-2025-10035 | CVSS 10.0 (Critical) | Exploit: PoC available

What Is It

CVE-2025-10035 is a critical deserialization vulnerability in the License Servlet component of Fortra's GoAnywhere Managed File Transfer (MFT) platform, allowing an attacker to inject and execute arbitrary objects through a forged license response.

Technical Detail

The flaw exists in how GoAnywhere MFT's License Servlet processes license validation responses. An attacker who can forge a valid license response signature can supply an arbitrary serialized object, which the application deserializes without sufficient validation, potentially resulting in remote code execution (RCE) via command injection. The attack requires the ability to forge or intercept a license response signature, which raises the bar slightly above unauthenticated exploitation, but the CVSS score of 10.0 reflects the severity of the outcome if that precondition is met.

Exploitation Status

A proof-of-concept (PoC) exploit is publicly available. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and active in-the-wild exploitation has not been confirmed as of this writing. However, the availability of a PoC combined with the critical severity rating significantly elevates the risk of exploitation in the near term.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. It is worth noting that GoAnywhere MFT has historically been a high-value target for ransomware operators and data extortion groups, including the Cl0p group's exploitation of CVE-2023-0669, but no such attribution has been established for this specific vulnerability.

What To Do

Organizations running Fortra GoAnywhere MFT should apply the vendor-issued patch immediately, treating this as a priority-one remediation given the critical CVSS score and public PoC availability. If patching cannot be completed immediately, administrators should consider restricting network access to the License Servlet endpoint at the perimeter or host-based firewall level as a temporary workaround. Detection efforts should focus on anomalous deserialization activity, unexpected process spawning from the GoAnywhere MFT service account, and unusual outbound connections originating from the MFT host. Organizations should also review GoAnywhere MFT logs for any unexpected license validation requests or responses that may indicate prior exploitation attempts.