Fortra Addresses Critical Flaw in GoAnywhere MFT Software
Fortra has issued a patch for a severe vulnerability in its GoAnywhere Managed File Transfer (MFT) software, which could have allowed attackers to execute arbitrary commands on affected systems.
The Vulnerability: Deserialization Flaw in License Servlet
A critical deserialization flaw in the License Servlet of Fortra's GoAnywhere MFT has been addressed by the company. This vulnerability, tracked as CVE-2025-10035 with a CVSS score of 10.0, poses a significant threat to the security of organizations using the software.
The advisory from Fortra states that an attacker could exploit this vulnerability by deserializing an arbitrary actor-controlled object, potentially leading to command injection and unauthorized access to sensitive data.
Recommendations for Mitigation
Ffortra recommends that customers upgrade to a patched version of the software, specifically the latest release (7.8.4) or the Sustain Release (7.6.3). To mitigate the vulnerability, the company advises restricting public access to the GoAnywhere Admin Console, as exploitation depends on internet exposure.
Previous Vulnerability: Authentication Bypass
In January 2024, Fortra warned customers of an authentication bypass vulnerability tracked as CVE-2024-0204 (CVSS score 9.8), impacting the GoAnywhere MFT product. This flaw allowed unauthorized users to create admin users using the administration portal of the appliance.
Researcher Details
The flaw was reported by Mohammed Eldeeb & Islam Elrfai from Spark Engineering Consultants on December 1, 2023. Horizon3's Attack Team published technical details of the vulnerability CVE-2024-0204 impacting Fortra GoAnywhere MFT in the same month.
Conclusion
Ffortra has taken steps to address a critical flaw in its GoAnywhere MFT software, which could have allowed attackers to execute arbitrary commands. Organizations using this software are urged to upgrade to a patched version and implement mitigations to prevent exploitation. The company's proactive response demonstrates its commitment to protecting customer data.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest security news and updates.