Critical Vulnerability in Fortra GoAnywhere (CVE-2025-10035)

Executive Summary

On September 18^th, software company Fortra published an advisory detailing a critical vulnerability in their popular managed file transfer application GoAnywhere MFT. The issue is present in the Forta MFT administration interface and affects organizations whose admin interface is accessible from the internet. The vulnerability is related to deserialization and may permit an unauthorized attacker to perform command injection, allowing threat actors to run arbitrary commands on the appliance.

GoAnywhere MFT is a File Transfer application designed to support secure file uploads, downloads, and transfers. The appliance is designed to be deployed as directly internet facing. If exploited, this vulnerability could allow an attacker to gain full control over the GoAnywhere MFT solution. This may include unauthorized access to files hosted on the appliance or providing attackers with initial access to client environments.

There are no known publicly available proof-of-concept (POC) exploits available at time of writing, and there are no reports of this vulnerability currently being used in the wild. However, patches have been released, and Beazley Security expects financially motivated threat actors to study the fixes to develop and deploy weaponized exploits in the coming days given the sensitive nature of files that are likely hosted on these systems. Affected organizations should update their systems as soon as possible.

Affected Systems or Products

Products	Affected	Unaffected
GoAnywhere MFT	Release < 7.8.4, Sustained Release < 7.6.3	Release >= 7.8.4, Sustained Release >= 7.6.3

‍

Mitigations / Workarounds

The official Fortra advisory advises affected organizations to restrict access to the administration console to only the internal network, and to block inbound traffic from the internet.

Patches

Patches are available from the vendor and can be applied via normal update processes.

Technical Details

There are no public technical details of the bug that caused this vulnerability at time of writing, but the vulnerability class is well known. Deserialization is a mechanism by which a program can accept data sent over the network and translate it into a format that it can process internally. Because that data is being passed into and directly processed by the target program, if it is not tightly controlled and properly sanitized, attacker-supplied data can cause severe side-effects under certain conditions. In this specific case, the data in question was reported to be a “validly forged license response signature.”

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

Sources

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team