Overview
On September 18, 2025, Fortra published an advisory for CVE-2025-10035. This new vulnerability affects GoAnywhere MFT, an enterprise managed file transfer solution, and allows an attacker to achieve unauthenticated remote code execution.
GoAnywhere MFT is a file transfer solution that has been exploited in-the-wild in the past. In 2023, CVE-2023-0669 was exploited in-the-wild as a zero-day, and that vulnerability is known to have been used by ransomware groups.
Currently there is no known public exploit code available for the new vulnerability, CVE-2025-10035, and the vendor has not reported CVE-2025-10035 as having been exploited in-the-wild. However, given the nature and history of this product, this new vulnerability should be treated as a significant threat.
As described by the vendor, CVE-2025-10035 is due to an unsafe deserialization issue, allowing a remote unauthenticated attacker to unsafely deserialize an arbitrary attacker controlled Java object, in-turn executing a gadget chain to execute an arbitrary Operating System (OS) command, thus gaining remote code execution on the target system.
The vendor has described the issue as being located in the License servlet of the product, and requiring the attacker to have “a validly forged license response signature” in order to exploit this issue.
Update 1: On September 24, 2025, Rapid7 Labs published a root cause analysis of CVE-2025-10035. Our analysis reveals that this vulnerability is not just a single deserialization vulnerability, but rather a chain of three separate issues. This includes an access control bypass that has been known since 2023, the unsafe deserialization vulnerability CVE-2025-10035, and an as-yet unknown issue regarding how an attacker can know a specific private key.
Update 2: On September 29, 2025, CVE-2025-10035 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV).
Mitigation guidance
A vendor supplied update is available to remediate CVE-2025-10035. Customers of affected GoAnywhere MFT instances are advised to update to the latest version of GoAnywhere MFT on an urgent basis.
The following versions remediate CVE-2025-10035:
GoAnywhere MFT latest release version 7.8.4 and above.
GoAnywhere MFT Sustain release version 7.6.3 and above.
For the latest mitigation guidance, please refer to the vendor security advisory.
Rapid7 customers
InsightVM and Nexpose
InsightVM and Nexpose customers can assess their exposure to CVE-2025-10035 with authenticated (Windows only systems) and unauthenticated checks available in today's (19 September) content release.
Intelligence Hub
Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-10035.
Updates
- September 22, 2025: Added section for Intelligence Hub, under Rapid7 customers.
- September 25, 2025: Added an update to the overview, referencing our AttackerKB Rapid7 Analysis of CVE-2025-10035.
- September 30, 2025: Added reference to the CISA KEV list.
