**Name of the Vulnerable Software and Affected Versions**

Fortra GoAnywhere MFT versions prior to 7.8.4

Fortra GoAnywhere MFT versions prior to 7.6.3

**Description**

A critical deserialization vulnerability exists in the License Servlet of Fortra's GoAnywhere MFT. This flaw allows an attacker with a validly forged license response signature to deserialize an arbitrary actor-controlled object, potentially leading to remote command injection. Exploitation of this vulnerability began before the public advisory was released, with reports indicating activity as early as September 10, 2025. Attackers have been observed using this vulnerability to create backdoors and execute arbitrary code. Approximately 44,700 instances are exposed, including systems belonging to Fortune 500 companies. The vulnerability is rated with a CVSS score of 10.0, indicating its critical severity. Exploitation may involve the use of tools like `Simplehelp tool` and payloads such as `zato be.exe` and `jwunst.exe`.

**Recommendations**

Fortra GoAnywhere MFT versions prior to 7.8.4: Update to version 7.8.4 or later.

Fortra GoAnywhere MFT versions prior to 7.6.3: Update to version 7.6.3 or later.

Restrict access to the Admin Console to minimize the risk of exploitation.