Fortra has released patches for a critical-severity vulnerability in the GoAnywhere secure managed file transfer (MFT) software that could be exploited for command injection.
GoAnywhere MFT is an enterprise application that allows organizations to automate and secure the exchange of data with their trading partners.
Tracked as CVE-2025-10035 (CVSS score of 10), the critical bug is described as a deserialization of untrusted data issue affecting the application’s license servlet.
According to Fortra’s advisory, the bug could be exploited by “an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection”.
Successful exploitation of the flaw, Rapid7 warns, could allow unauthenticated attackers to achieve remote code execution (RCE) on vulnerable GoAnywhere MFT instances.
Fortra included patches for the security defect in GoAnywhere MFT version 7.8.4 and GoAnywhere MFT Sustain version 7.6.3 and urged customers to ensure that the GoAnywhere Admin Console is not accessible to the public.
“Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet,” the company notes.
Fortra also advises customers to monitor Admin Audit logs for suspicious activity and to look in log files for errors containing the SignedObject.getObject: string in exception stack traces, which indicates impact from the vulnerability.
However, Fortra makes no mention of this vulnerability being exploited in the wild and Rapid7 notes that it has not seen public exploit code either.
“However, given the nature and history of this product, this new vulnerability should be treated as a significant threat,” Rapid7 notes.
In 2023, hackers associated with the infamous Cl0p ransomware operation exploited a zero-day vulnerability (CVE-2023-0669) in Fortra’s file transfer product, created unauthorized accounts on customer environments and stole data from dozens of organizations.
Related: CISA Analyzes Malware From Ivanti EPMM Intrusions
Related: Unpatched Vulnerabilities Expose Novakon HMIs to Remote Hacking
Related: Critical Infrastructure Operators Implementing Zero Trust in OT Environments
Related: OpenSMTPD Vulnerability Leads to Command Injection
