cve-2025-10035
Vulnerability from cvelistv5
Published
2025-09-18 22:01
Modified
2025-09-29 22:20
Severity ?
EPSS score ?
Summary
Deserialization Vulnerability in GoAnywhere MFT's License Servlet
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Fortra | GoAnywhere MFT |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10035",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-09-29",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10035"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T22:20:24.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2025-09-29T00:00:00+00:00",
"value": "CVE-2025-10035 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Linux",
"Windows",
"MacOS"
],
"product": "GoAnywhere MFT",
"vendor": "Fortra",
"versions": [
{
"lessThanOrEqual": "7.8.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A deserialization vulnerability in the License Servlet of Fortra\u0027s GoAnywhere MFT allows an actor with a validly forged license response signature to \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edeserialize an arbitrary actor-controlled object, possibly leading to command injection.\u003c/span\u003e"
}
],
"value": "A deserialization vulnerability in the License Servlet of Fortra\u0027s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T22:43:41.684Z",
"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"shortName": "Fortra"
},
"references": [
{
"url": "https://www.fortra.com/security/advisories/product-security/fi-2025-012"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to a patched version (the latest release 7.8.4, or the Sustain Release 7.6.3)"
}
],
"value": "Upgrade to a patched version (the latest release 7.8.4, or the Sustain Release 7.6.3)"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Deserialization Vulnerability in GoAnywhere MFT\u0027s License Servlet",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\nImmediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet. \n\n\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Immediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"assignerShortName": "Fortra",
"cveId": "CVE-2025-10035",
"datePublished": "2025-09-18T22:01:51.337Z",
"dateReserved": "2025-09-05T16:43:32.877Z",
"dateUpdated": "2025-09-29T22:20:24.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-10035\",\"sourceIdentifier\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"published\":\"2025-09-18T22:15:41.857\",\"lastModified\":\"2025-09-30T14:26:14.983\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A deserialization vulnerability in the License Servlet of Fortra\u0027s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"cisaExploitAdd\":\"2025-09-29\",\"cisaActionDue\":\"2025-10-20\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability\",\"weaknesses\":[{\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.6.3\",\"matchCriteriaId\":\"CF143971-7546-4C90-B0D0-A3E08536BF4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.7.0\",\"versionEndExcluding\":\"7.8.4\",\"matchCriteriaId\":\"479CA63D-4C41-4CA1-9655-A8BD43311CEA\"}]}]}],\"references\":[{\"url\":\"https://www.fortra.com/security/advisories/product-security/fi-2025-012\",\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.