CVE-2025-10035

Name of the Vulnerable Software and Affected Versions Fortra GoAnywhere MFT versions prior to 7.8.4 and prior to 7.6.3

Description Fortra GoAnywhere MFT contains a critical deserialization vulnerability in the License Servlet (CVE-2025-10035). This flaw allows an attacker with a validly forged license response signature to deserialize an arbitrary actor-controlled object, potentially leading to remote code execution. Exploitation of this vulnerability has been observed in the wild, with threat actors, including the Storm-1175 group, deploying the Medusa ransomware. The vulnerability allows for unauthenticated remote code execution and has a CVSS score of 10.0. Over 20,000 systems are estimated to be exposed. Attackers have been observed using this vulnerability for initial access, lateral movement, and data exfiltration. The vulnerability was actively exploited before a patch was released.

Recommendations Update Fortra GoAnywhere MFT to version 7.8.4 or 7.6.3. Restrict access to the Admin Console to mitigate the risk.