## https://sploitus.com/exploit?id=B275EE52-7D38-5A46-B991-E782100F111D
# CVE-2025-10035 โ Fortra GoAnywhere MFT License Servlet Deserialization RCE
[](https://vulners.com/cve/CVE-2025-10035)
[](https://nvd.nist.gov/vuln/detail/CVE-2025-10035)
[](https://cwe.mitre.org/data/definitions/502.html)
[](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
[](#)
> Research writeup by **Sentinel AI Defense**. Defensive analysis only โ no working exploit
> or PoC is published here.
A perfect-10 deserialization chain in Fortra GoAnywhere MFT: a forged license response signature lets
an unauthenticated attacker deserialize an arbitrary object and reach command execution on the
file-transfer server.
๐ Full writeup: https://sentinelaidefense.com/posts/cve-2025-10035-goanywhere-deserialization.html
---
## Overview
CVE-2025-10035 is a critical deserialization vulnerability in the License Servlet of Fortra GoAnywhere
Managed File Transfer (MFT). It allows an actor with a validly forged license response signature to
deserialize an arbitrary attacker-controlled object, leading to command injection and unauthenticated
remote code execution (RCE).
The flaw has a CVSS score of **10.0 (Critical)**. It was disclosed on **September 18, 2025**, and
quickly added to the CISA KEV catalog due to active exploitation risks. This vulnerability is notable
for its high impact on managed file transfer systems handling sensitive data.
## Affected Versions
- GoAnywhere MFT versions prior to **7.8.4** (sustain release: prior to **7.6.3**)
Patches were released in September 2025. Cloud-hosted MFTaaS instances were updated by Fortra. Earlier
versions (including some still in support) are vulnerable if the License Servlet is exposed.
## Technical Breakdown (Root Cause)
The vulnerability resides in the license validation logic within the License Servlet. The component
fails to properly sanitize and validate serialized objects in forged license responses, even when a
signature is present. This enables unsafe Java deserialization of attacker-controlled gadgets, which
can chain into command injection on the underlying OS.
It is a combination of issues, including an access control bypass (known in prior versions) and unsafe
handling of deserialized objects. The attack does not require prior authentication if the servlet
endpoint is reachable. Researchers noted it as a "perfect" CVSS 10.0 chain with high reliability.
## Attack Chain
1. Attacker forges a malicious license response (with valid signature bypass).
2. Sends it to the exposed License Servlet endpoint.
3. Unsafe deserialization triggers a gadget chain.
4. Leads to arbitrary command execution on the MFT server (full RCE).
Exploitation is **unauthenticated** and can be performed remotely. Scanning and exploitation attempts
were observed shortly after disclosure, consistent with patterns seen in previous GoAnywhere
incidents.
## Detection Guidance
- Monitor Admin Audit logs and application logs for suspicious license-related activity or errors
involving deserialization.
- Look for unexpected inbound requests to License Servlet endpoints (often under `/license` or similar
paths).
- Detect anomalous process creation, command execution, or file modifications on the MFT server.
- Network-level: unusual serialized payloads or forged license responses in HTTP traffic to the admin
interface.
- Use WAF rules or endpoint detection for Java deserialization patterns (e.g., ysoserial-like
gadgets).
Fortra recommends reviewing logs for indicators of compromise.
## Indicators of Compromise
- Requests to License Servlet with forged license data.
- Suspicious serialized Java objects in HTTP POST bodies.
- Post-exploitation artifacts: unexpected shells, webshells, or commands (e.g., related to data
exfiltration from MFT environments).
- Known malicious IP ranges or user-agents associated with early scanning (post-September 18, 2025).
Refer to the Fortra advisory and CISA for comprehensive lists.
## Mitigation
- Upgrade immediately to GoAnywhere MFT **7.8.4** or **7.6.3** (sustain release).
- Restrict network access to the Admin Console and License Servlet โ expose only to trusted IP ranges
or via VPN.
- Monitor and audit license-related activities closely.
- Apply the principle of least privilege; limit the MFT service account permissions.
- Consider temporary isolation of vulnerable instances until patched.
Due to the critical nature and history of GoAnywhere being targeted (e.g., by **CL0P** in prior
years), prioritize patching and forensic review if exposure is suspected.
## References
- Fortra GoAnywhere MFT security advisory
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10035
- CISA Known Exploited Vulnerabilities Catalog
## Disclaimer
This repository is published for **defensive and educational purposes only**. It contains analysis,
detection logic, and mitigation guidance. No functional exploit code is provided. Use this
information only on systems you are authorized to test and defend.
---
Maintained by Sentinel AI Defense ยท
Findings shared responsibly under coordinated disclosure.