vulnerability

Fortra GoAnywhere MFT: CVE-2025-10035: Improper Neutralization of Special Elements used in a Command

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Sep 18, 2025	Sep 19, 2025	Oct 1, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Sep 18, 2025

Added

Sep 19, 2025

Modified

Oct 1, 2025

Description

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
This detection relies on access to the admin panel, as does the exploit. Please follow the vendor's mitigation advice and make sure that public access to the admin panel is disabled.

Solution

fortra-goanywhere-mft-upgrade-latest

References

CWE-77
CWE-502
CVE-2025-10035
https://attackerkb.com/topics/CVE-2025-10035
URL-https://www.fortra.com/security/advisories/product-security/fi-2025-012

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today