CVE-2025-10035 - OpenCVE

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fortra	Goanywhere Managed File Transfer

No data.

No data.

References

Link	Providers
https://www.fortra.com/security/advisories/product-security/fi-2025-012

History

Fri, 19 Sep 2025 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fortra Fortra goanywhere Managed File Transfer
Vendors & Products		Fortra Fortra goanywhere Managed File Transfer

Thu, 18 Sep 2025 23:30:00 +0000

Type	Values Removed	Values Added
References	https://www.fortra.com/security/advisories/product-security/fi-2025-011

Thu, 18 Sep 2025 22:45:00 +0000

Type	Values Removed	Values Added
References		https://www.fortra.com/security/advisories/product-security/fi-2025-012

Thu, 18 Sep 2025 22:15:00 +0000

Type	Values Removed	Values Added
Description		A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
Title		Deserialization Vulnerability in GoAnywhere MFT's License Servlet
Weaknesses		CWE-502 CWE-77
References		https://www.fortra.com/security/advisories/product-security/fi-2025-011
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Fortra

Published: 2025-09-18T22:01:51.337Z

Updated: 2025-09-19T12:12:18.916Z

Reserved: 2025-09-05T16:43:32.877Z

Link: CVE-2025-10035

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-09-18T22:15:41.857

Modified: 2025-09-18T23:15:34.043

Link: CVE-2025-10035

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-10035", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "state": "PUBLISHED", "assignerShortName": "Fortra", "dateReserved": "2025-09-05T16:43:32.877Z", "datePublished": "2025-09-18T22:01:51.337Z", "dateUpdated": "2025-09-19T12:12:18.916Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "platforms": ["Linux", "Windows", "MacOS"], "product": "GoAnywhere MFT", "vendor": "Fortra", "versions": [{"lessThanOrEqual": "7.8.3", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to <span style=\"background-color: rgb(255, 255, 255);\">deserialize an arbitrary actor-controlled object, possibly leading to command injection.</span>"}], "value": "A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection."}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2025-09-18T22:43:41.684Z"}, "references": [{"url": "https://www.fortra.com/security/advisories/product-security/fi-2025-012"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to a patched version (the latest release 7.8.4, or the Sustain Release 7.6.3)"}], "value": "Upgrade to a patched version (the latest release 7.8.4, or the Sustain Release 7.6.3)"}], "source": {"discovery": "UNKNOWN"}, "title": "Deserialization Vulnerability in GoAnywhere MFT's License Servlet", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">\n\nImmediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet. \n\n</span>\n\n<br>"}], "value": "Immediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-19T12:11:56.697934Z", "id": "CVE-2025-10035", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-19T12:12:18.916Z"}}]}}