Critical Command Injection Flaw in GoAnywhere MFT Puts File Transfer Systems at Risk
Share this article
Fortra has issued emergency patches for a critical security vulnerability in its widely used GoAnywhere Managed File Transfer (MFT) platform, warning that attackers could execute arbitrary commands on unpatched systems. Tracked as CVE-2025-10035, this maximum-severity flaw stems from insecure deserialization in the License Servlet component. Attackers with a forged license signature could weaponize this to inject malicious code remotely—without user interaction—jeopardizing sensitive file transfer infrastructure.
The Anatomy of the Flaw
Deserialization vulnerabilities occur when untrusted data is converted into executable objects without proper validation. In this case:
- Attackers craft malicious license responses with forged signatures
- GoAnywhere MFT deserializes these objects, enabling command injection
- Exploitation is feasible in low-complexity attacks requiring no privileges
Fortra confirmed the bug during a September 11 security review, noting:
"Customers with an Admin Console accessible over the internet could be vulnerable to unauthorized third-party exposure. We immediately developed a patch and offered mitigation guidance."
Exposure and Mitigation Urgency
According to Shadowserver Foundation scans, over 470 GoAnywhere MFT instances remain internet-exposed. While exploitation hasn't been confirmed, Fortra emphasizes that patching is critical:
- Fixed versions: GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3
- Immediate action: Isolate Admin Consoles from public internet access if patching is delayed
Why File Transfer Systems Are Prime Targets
Managed file transfer solutions like GoAnywhere MFT handle sensitive data pipelines for enterprises—making them high-value targets. This vulnerability echoes the 2023 Clop ransomware campaign that exploited CVE-2023-0669 in GoAnywhere MFT, breaching 130+ organizations. Fortra (formerly HelpSystems) powers critical infrastructure for 9,000+ global entities, amplifying potential blast radius.
The Bigger Picture
This flaw underscores persistent risks in enterprise file transfer ecosystems—complex software often granted extensive network permissions. With threat actors actively scanning for exposed instances, administrators must:
1. Apply patches immediately
2. Enforce network segmentation for admin interfaces
3. Audit license servlet access controls
As one breach analyst noted: "File transfer systems are the crown jewels for data exfiltrators—unpatched, internet-facing instances might as well be unlocked vaults."
Source: BleepingComputer