🔴 CVE-2025-10035

CVE-2025-10035 is a critical deserialization vulnerability in Fortra GoAnywhere MFT's License Servlet that allows unauthenticated remote code execution. This vulnerability has been actively exploited as a zero-day and affects internet-facing managed file transfer servers.

← Back to Overview
HIGH_RISK
Risk Level
10.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
Yes (+138d)
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-09-18

Added to CISA KEV: 2025-09-29 11 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2025-09-29)

CVE-2025-10035 is a critical command injection vulnerability affecting Fortra GoAnywhere MFT. Here's what is known about its exploitation:

  • Internet-facing applications or services: The vulnerability is highly dependent on systems being externally exposed to the internet [1]. External vulnerability scans look for vulnerabilities in internet-facing infrastructure to determine which ones can be exploited [5].
  • Evidence of active exploitation in the wild: CVE-2025-10035 has been actively exploited as a zero-day vulnerability [6].
  • Attack vectors and exploitation methods: The vulnerability allows an unauthenticated attacker to remotely execute code on the system [3]. Successful exploitation could allow an attacker with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection [1].
  • Targeted attacks: While the provided documents do not explicitly confirm CVE-2025-10035 has been used in targeted attacks, it is worth noting that GoAnywhere MFT was previously targeted in 2023 by the Cl0p ransomware group via CVE-2023-0669, resulting in data exfiltration from numerous victims [2].
  • CISA Known Exploited Vulnerabilities status: There is no mention of CVE-2025-10035 being added to the CISA Known Exploited Vulnerabilities catalog in the provided context.
  • Technical details about internet exploitability: The vulnerability is a deserialization vulnerability in Fortra's GoAnywhere MFT's License Servlet [4]. It allows an unauthenticated attacker to remotely execute some code on the system [3]. Exploitation is highly dependent on systems being externally exposed to the internet [1].

Sources

  1. A Vulnerability in GoAnywhere Managed File Transfer (MFT) Could Allow ...

    Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet. (CVE-2025-10035) Successful exploitation of this vulnerability could allow an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, poss…

  2. CVE-2025-10035

    In 2023, the Cl0p ransomware group targeted GoAnywhere MFT via CVE-2023-0669, resulting in data exfiltration from numerous victims.

  3. Fortra GoAnywhere MFT vulnerability | CVE-2025-10035

    The vulnerability tracked as CVE-2025-10035 allows an unauthenticated attacker to remotely execute some code on the system, throught the ...

  4. CVE-2025-10035 Impact, Exploitability, and Mitigation Steps

    A critical deserialization vulnerability (CVE-2025-10035) was discovered in Fortra s GoAnywhere MFT s License Servlet on September 18, 2025.

  5. 3 Types of Security Scans | Arctic Wolf

    September 19, 2025. CVE-2025-10035: Maximum-Severity Command Injection Vulnerability in Fortra GoAnywhere MFT.External vulnerability scans look at your network from the threat actor’s perspective. They scan external IP addresses and domains, probing for vulnerabilities in internet-facing infrastruct…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed