Fortra addressed a maximum severity flaw in GoAnywhere MFT software

Fortra addressed a critical flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands.

Fortra addressed a critical vulnerability, tracked as CVE-2025-10035 (CVSS score of 10.0) in GoAnywhere Managed File Transfer (MFT) software.

Fortra GoAnywhere Managed File Transfer is a comprehensive solution for secure file transfer, data encryption, and compliance management. It provides a centralized platform for managing and automating file transfers between disparate systems and applications, enabling secure and controlled data movement across an organization’s network.

The flaw is a deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT. An attacker could exploit the vulnerability to execution of arbitrary commands on the affected systems.

“A deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.” reads the advisory.

The company urge customers to upgrade to a patched version (the latest release 7.8.4, or the Sustain Release 7.6.3).

To mitigate the vulnerability, Fortra recommends restricting public access to the GoAnywhere Admin Console, as exploitation depends on internet exposure.

It’s unclear if the vulnerability has been actively exploited in attacks in the wild.

In January 2024, Fortra warned customers of an authentication bypass vulnerability tracked as CVE-2024-0204 (CVSS score 9.8), impacting the GoAnywhere MFT (Managed File Transfer) product.

An unauthorized user can exploit the flaw CVE-2024-0204 to create admin users using the administration portal of the appliance. The flaw was reported by Mohammed Eldeeb & Islam Elrfai from Spark Engineering Consultants on December 1, 2023.

Fortra initially issued private advisories to customers on December 4, recommending them of applying mitigations immediately.

In the same month, Horizon3’s Attack Team published technical details of the vulnerability CVE-2024-0204 impacting Fortra GoAnywhere MFT.

Horizon3 researchers created an exploit using a path traversal issue to gain access to the vulnerable endpoint (/InitialAccountSetup.xhtml). Once reached the endpoint, they were able to start the procedure for the account creation.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, GoAnywhere)