A critical vulnerability has been discovered in Fortra’s GoAnywhere MFT software that demands urgent attention from IT administrators and security teams.
On September 18th, 2025, Fortra released a security advisory detailing a severe vulnerability in their popular GoAnywhere Managed File Transfer (MFT) solution. This isn’t just another routine security update – with a maximum CVSS score of 10.0, this vulnerability represents one of the most serious security risks we’ve seen this year.
The vulnerability, officially designated as CVE-2025-10035, affects the License Servlet component of GoAnywhere MFT. In simple terms, this flaw could allow attackers to execute malicious commands on your server by exploiting how the software processes license information.
Here’s what makes this particularly concerning: an attacker who successfully exploits this vulnerability could potentially gain complete control over your file transfer system. This means they could access sensitive files, modify data, disrupt operations, or use your system as a launching pad for further attacks on your network.
How It Works
The technical details reveal a deserialization vulnerability – a type of security flaw that occurs when software improperly handles data conversion processes. Specifically, the GoAnywhere MFT License Servlet fails to properly validate license response signatures, creating an opening for attackers to inject malicious code.
Even more dangerous is the vulnerability can be exploited remotely over the network without requiring authentication. This means legitimate user credentials or physical access to your systems is not needed to potentially compromise them.
GoAnywhere MFT systems typically handle sensitive data including financial records, customer information, and regulatory compliance documents. Successful exploitation could lead to data breaches, regulatory violations, operational disruption, and potential legal liability.
If your organization uses GoAnywhere MFT (affected versions) and/or your Admin Console (or other internet-facing deployments) is accessible from the internet, you should secure your environment by:
Securing Your Admin Console
The most critical step you can take immediately is ensuring your GoAnywhere Admin Console is not accessible from the public internet. This single action significantly reduces your risk profile while you plan for the permanent fix.
Upgrade
Fortra has provided immediate mitigation guidance and permanent fixes. Organizations should ensure their GoAnywhere Admin Console is not publicly accessible and upgrade to patched versions (7.8.4 or 7.6.3) as soon as possible.
Schedule this upgrade as soon as possible, ideally within your next maintenance window. The longer you wait, the greater your exposure to potential attacks.
Organizations using GoAnywhere MFT should verify their Admin Console isn’t publicly accessible and schedule upgrades to version 7.8.4 or 7.6.3 during their next maintenance window.
For complete technical details and the official security advisory, visit the official notice.
Leave a Reply