NAVANEM
CVE-2025-10035⚡ exploited in the wild

Fortra GoAnywhere MFT, deserialization RCE (License Servlet)

A deserialization vulnerability in the License Servlet of Fortra GoAnywhere MFT allows an attacker who can present a forged, validly-signed license response to deserialize an arbitrary attacker-controlled object, leading to command injection and unauthenticated remote code execution. It was exploited in the wild as a zero-day, including Medusa ransomware deployment.

Overview

CVE-2025-10035 is a maximum-severity (CVSS 10.0) deserialization vulnerability in the License Servlet of Fortra GoAnywhere MFT, a widely deployed managed file-transfer product. An attacker able to present a forged license response with a valid signature can force the server to deserialize an arbitrary object, leading to command injection and remote code execution. It was exploited as a zero-day roughly a week before public disclosure and tied to Medusa ransomware deployment by the actor Microsoft tracks as Storm-1175. (NVD's secondary score is 9.8 with an unchanged scope; Fortra's CNA score is 10.0.)

Technical Details

The License Servlet accepts a license response and validates its signature before deserializing the embedded object. The flaw lets an attacker who can satisfy the signature check supply a malicious serialized object, which GoAnywhere deserializes into a gadget chain that injects operating-system commands. Public reporting indicates the practical prerequisite (a forged but valid signature) was achievable in real attacks, making exploitation effectively unauthenticated against exposed admin consoles.

Impact

  • Remote code execution on the GoAnywhere server, often internet-facing for partner file exchange.
  • Ransomware deployment: Storm-1175 used access to deploy Medusa ransomware and exfiltrate data.
  • Sensitive data exposure: MFT systems broker high-value files between organizations.
  • Echoes the 2023 GoAnywhere (CVE-2023-0669) and MOVEit mass-exploitation patterns, raising urgency.

Mitigation

  1. Upgrade immediately to GoAnywhere MFT 7.8.4, or to the 7.6.3 Sustain Release for the 7.6.x branch.
  2. Do not expose the GoAnywhere admin console to the internet; restrict it to trusted networks/VPN.
  3. Review the Admin Audit log for unexpected admin actions and the appearance of new admin users.
  4. Rotate credentials and signing material and assume data accessed before patching may be compromised.

Detection

  • Inspect GoAnywhere logs for SignedObject.getObject deserialization errors / stack traces - a documented exploitation artifact.
  • Hunt for unexpected child processes spawned by the GoAnywhere Java process and newly created admin accounts.
  • Match against Microsoft and Fortra IOCs; CISA added the CVE to KEV on September 29, 2025.

references

#cve-2025-10035#fortra#goanywhere-mft#managed-file-transfer#medusa-ransomware#remote-code-execution#insecure-deserialization#cwe-502#actively-exploited#cisa-kev#critical-vulnerability

Related topics

CVE
CVE

Microsoft Windows Server Update Services (WSUS), deserialization RCE

Oct 14, 2025
CVE
CVE

Microsoft SharePoint Server, deserialization of untrusted data RCE (ToolShell)

Jul 19, 2025
CVE
CVE

BeyondTrust Remote Support / Privileged Remote Access, pre-authentication OS command injection RCE

Feb 6, 2026
CVE
CVE

Fortinet FortiWeb, relative path traversal authentication bypass to admin RCE

Nov 14, 2025
CVE
CVE

F5 BIG-IP APM, unauthenticated remote code execution via crafted access-policy traffic

Oct 15, 2025
CVE
CVE

Oracle E-Business Suite, unauthenticated remote code execution (Cl0p EBS campaign)

Oct 5, 2025
CVE
CVE

Cisco Secure Firewall ASA & FTD, VPN web server buffer overflow RCE (ArcaneDoor)

Sep 25, 2025
CVE
CVE

Google Chrome V8, type confusion leading to heap corruption (zero-day)

Sep 24, 2025
CVE
CVE

Citrix NetScaler ADC and Gateway, unauthenticated memory-overflow remote code execution

Aug 26, 2025
CVE
CVE

CrushFTP, authentication bypass via AS2 validation (admin-access zero-day)

Jul 18, 2025