CriticalCISA KEVExploited in the wildPublic exploit

Unsafe deserialization RCE in Fortra GoAnywhere MFT License Servlet

IdentifiersCVE-2025-10035CWE-502· Deserialization of Untrusted Data

CVE-2025-10035 is a critical deserialization vulnerability in the License Servlet / license processing workflow of Fortra GoAnywhere MFT. Fortra describes the issue as allowing an actor with a validly forged license response signature to cause deserialization of an arbitrary attacker-controlled object, possibly leading to command injection. Supporting analysis indicates the vulnerable path processes attacker-supplied license response bundles and, after signature verification succeeds, invokes Java SignedObject deserialization on untrusted content via signedObject.getObject(), enabling deserialization of attacker-controlled objects. Research comparing vulnerable and fixed versions indicates the flaw affected GoAnywhere MFT up to 7.8.3, with fixes in 7.8.4 and 7.6.3. Public reporting further indicates exploitation may be reachable without authentication on externally exposed instances through the license activation/acceptance workflow, although successful exploitation depends on supplying a validly forged license response signature. Multiple sources characterize the end result as command injection / remote code execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in unauthenticated remote code execution on vulnerable GoAnywhere MFT instances, enabling full compromise of the application host. Reported post-exploitation outcomes include system and user discovery, persistence establishment, deployment of remote management tooling, lateral movement, data exfiltration, and ransomware deployment. Because GoAnywhere MFT commonly handles sensitive enterprise file transfers, compromise can also expose transferred data and credentials and provide a high-value foothold for broader intrusion activity.

Mitigation

If you can’t patch tonight, do this now.

Ensure the GoAnywhere MFT admin console is not exposed to the public internet. Restrict access to the application through perimeter controls such as firewall rules, reverse proxies, WAFs, or DMZ placement, and limit arbitrary outbound internet access from the server to reduce malware download and C2 opportunities. Increase monitoring for suspicious activity around the license servlet / admin console, large file uploads, unusual outbound traffic, archive or transfer utilities, creation of JSP files in GoAnywhere directories, RMM tool deployment, and credential theft or Defender tampering behaviors. If compromise is suspected, isolate the host and perform incident response, as upgrading does not remediate prior exploitation.

Remediation

Patch, then assume compromise.

Upgrade GoAnywhere MFT to a fixed release. The provided content identifies patched versions as 7.8.4 and 7.6.3 (sustain release), and notes vulnerable versions up to 7.8.3. Apply the vendor security update immediately and review vendor guidance for any additional hardening changes to the license workflow and admin console exposure. Because the vulnerability has been reported as exploited in the wild, patching alone is insufficient for systems that may already be compromised; affected environments should be investigated for post-exploitation artifacts, persistence, suspicious accounts, web shells, RMM tools, exfiltration activity, and ransomware staging.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FortraGoanywhere Managed File Transferapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

365 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

365 SOURCESView more in app

security affairsNews

Apr 7, 2026

Fast-moving Storm-1175 uses new exploits to breach networks and drop Medusa

A GoAnywhere MFT vulnerability exploited by Storm-1175 for access to exposed systems.

cyber security newsNews

Apr 7, 2026

Microsoft Warns Storm-1175 Exploits Web-Facing Assets 0-Day Flaws in Medusa Ransomware Attacks

A vulnerability in Fortra GoAnywhere Managed File Transfer exploited by Storm-1175 before official announcement, reflecting pre-disclosure exploitation in Medusa ransomware campaigns.

the hacker newsNews

Apr 7, 2026

China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware

A specific Fortra GoAnywhere MFT vulnerability exploited by Storm-1175, including as a zero-day before public disclosure.

dark readingNews

Apr 7, 2026

Storm-1175 Deploys Medusa Ransomware at 'High Velocity'

A maximum-severity vulnerability in the License Servlet of GoAnywhere Managed File Transfer (MFT). It is significant because Microsoft says Storm-1175 weaponized it as a zero-day before public disclosure.

+30 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence16

Every observed campaign linking this CVE to a named adversary.

Associated malware14

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity165

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-10035

NVD

nvd.nist.gov/vuln/detail/CVE-2025-10035

MITRE CWE · CWE-502

Deserialization of Untrusted Data

Vendor Advisory

fortra.com/security/advisories/product-security/fi-2025-012

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10035