Fortra has fixed a maximum-severity vulnerability in its GoAnywhere Managed File Transfer (MFT) software, and users are urged to patch promptly, as threat actors have been particularly deft at exploiting MFT vulnerabilities.
The GoAnywhere MFT vulnerability – CVE-2025-10035 – is rated 10.0 under CVSS v3.1 and was revealed by Fortra in a security advisory published on September 18.
The deserialization vulnerability in GoAnywhere MFT’s License Servlet could potentially lead to command injection, Fortra said.
The vulnerability “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” Fortra said in the advisory.
The company urged users to upgrade to a patched version – the latest release 7.8.4, or the Sustain Release 7.6.3.
Another mitigation is to “Immediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet.”
The History of MFT Vulnerability Exploitation
Threat actors have been particularly good at exploiting MFT vulnerabilities in recent years, making CVE-2025-10035 an urgent priority for security teams.
An earlier GoAnywhere MFT vulnerability – CVE-2023-0669 – was exploited by CL0P, LockBit and other threat and ransomware groups.
Ryan Dewhurst, head of proactive threat intelligence at WatchTowr Security, said in a statement shared with The Cyber Express that the new GoAnywhere MFT vulnerability “impacts the same license code path in the Admin Console as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023.”
“With thousands of GoAnywhere MFT instances exposed to the Internet, this issue is almost certain to be weaponized for in-the-wild exploitation soon,” Dewhurst added. “While Fortra notes exploitation requires external exposure, these systems are generally Internet-facing by design, so organizations should assume they are vulnerable. Organizations should apply the official patches immediately and take steps to restrict external access to the Admin Console.”
CL0P is one threat group that has been particularly good at exploiting MFT vulnerabilities. The ransomware group’s exploitation of Cleo MFT vulnerabilities led to a record number of ransomware attacks earlier this year, and CL0P has also successfully exploited GoAnywhere MFT, MOVEit Transfer and Accellion FTA vulnerabilities.
Given the history of threat group attacks on managed file transfer vulnerabilities, GoAnywhere MFT users are advised to patch CVE-2025-10035 promptly and apply mitigations.
