A critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) has been assigned the maximum CVSS score of 10.0 and is tracked as CVE-2025-10035. Vendors and security researchers warn that the flaw could allow a full takeover of systems responsible for moving and safeguarding sensitive organizational data.
The defect lies in GoAnywhere MFT’s License Servlet, a component that handles license validation. It is a deserialization vulnerability that could be exploited by sending a forged license response signature to load a malicious object, potentially enabling an attacker to execute arbitrary code on affected systems, according to the vendor. In practical terms, successful exploitation could compromise the integrity, confidentiality, and availability of the file transfer infrastructure.
Security researchers at watchTowr Labs have highlighted the gravity of the issue, noting that there are “over 20,000 instances exposed to the Internet” and describing the vulnerability as a prime target for threat actors. Their analysis underscores the real-world risk of weaponisation in the wild, raising alarms across enterprises that rely on GoAnywhere MFT for regulated data exchange.
The incident also echoes a prior vulnerability in the same product: CVE-2023-0669, a pre-authentication command-injection flaw that was widely exploited by ransomware and APT groups in 2023, including the CL0P operation. The historical context is documented in the National Vulnerability Database at CVE-2023-0669, illustrating a pattern of pre-auth vulnerabilities in GoAnywhere MFT that has previously attracted significant adversarial attention.
To mitigate the risk, Fortra has released patches in version 7.8.4 and Sustain Release 7.6.3. Organizations are strongly urged to upgrade to these patched builds immediately and to review network exposure around the GoAnywhere Admin Console. Administrators should also restrict external access by placing the service behind a firewall or VPN and monitor logs for unusual activity, as per the vendor’s guidance.
Industry observers emphasize the importance of rapid action. Ryan Dewhurst, a threat intelligence expert at watchTowr, warned that the issue is “almost certain to be weaponised for in-the-wild exploitation soon,” given thousands of exposed instances and the nature of the license-check path in the Admin Console. He urged organisations to apply the official patches and to restrict external access to the Admin Console as a precautionary measure.