Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT’s License Servlet that can be exploited in command injection attacks. The flaw, tracked as CWE-502 (deserialization of untrusted data), can be exploited remotely in low-complexity attacks with no user interaction, according to the vendor’s advisory.
The vulnerability, identified as CVE-2025-10035, stems from a deserialization weakness and could enable an attacker to execute arbitrary commands on affected systems. Fortra described the issue in a security advisory as a flaw that allows an actor with a forged license response signature to deserialize an actor-controlled object, potentially leading to command injection.
During a security check conducted on Sept. 11, 2025, the company said it found that some GoAnywhere customers had an Admin Console accessible over the internet, creating a risk of unauthorized exposure. Fortra said it immediately developed a patch and issued mitigation guidance to help customers, urging administrators to review configurations and remove public access to the Admin Console.
To address CVE-2025-10035, Fortra released GoAnywhere MFT FI-2025-012 and Sustain Release FI-2025-012, including patches for the vulnerability. The company urged IT administrators who cannot immediately upgrade to secure vulnerable systems by ensuring that the GoAnywhere Admin Console cannot be accessed over the internet. “Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet,” Fortra noted.
Security researchers and admins are continuing to monitor the situation. Shadowserver Foundation is tracking more than 470 GoAnywhere MFT instances, though it remains unclear how many have been patched or have publicly accessible admin consoles.
GoAnywhere MFT is a web-based managed file transfer tool used by thousands of organizations to securely transfer files and maintain audit logs. The vendor, Fortra (formerly HelpSystems), serves more than 9,000 organizations worldwide, underscoring the importance of prompt patching and robust access controls in the file-transfer ecosystem.