CVE-2025-10035

What is Fortra GoAnywhere MFT?

Fortra GoAnywhere MFT (Managed File Transfer) is an enterprise platform used to securely transfer sensitive files between internal systems, trading partners, customers, and cloud storage. Organizations in finance, healthcare, government, and retail rely on it to automate compliant data exchange. GoAnywhere is often internet-facing by design — administrators access the web-based admin console over HTTPS, and the platform integrates with many upstream and downstream business processes.

GoAnywhere MFT has been targeted before. CVE-2023-0669, a prior critical flaw in the same product, was mass-exploited by the Clop ransomware group to steal data from over 100 organizations in early 2023 without deploying ransomware. CVE-2025-10035 follows a familiar pattern: unauthenticated access to a sensitive internal service leading to full system compromise.

Overview

CVE-2025-10035 is a CVSS 10.0 deserialization vulnerability in the Fortra GoAnywhere MFT License Servlet. Research by watchTowr Labs exposed a three-flaw attack chain that allows an unauthenticated attacker to achieve remote code execution on any internet-accessible GoAnywhere instance. The Storm-1175 threat group (associated with Medusa ransomware) was observed actively exploiting the vulnerability before CISA added it to the KEV catalog on September 29, 2025.

Affected Versions

Technical Details

The exploit chain combines three vulnerabilities in the GoAnywhere License Servlet:

Step 1 — Authentication bypass. Accessing /goanywhere/license/Unlicensed.xhtml with an invalid path suffix (e.g., /x) and a malformed JSF ViewState causes AdminErrorHandlerServlet to generate a valid license-request token and attach it to the attacker's session — without requiring valid credentials.

Step 2 — Token harvesting. The fabricated token enables access to protected license endpoints that would otherwise require authentication.

Step 3 — Insecure Java deserialization. The License Servlet accepts a serialized Java object in the bundle parameter. When the server processes a license response (which can be crafted with a known private key), it deserializes an attacker-controlled object, triggering command injection through the Java serialization gadget chain.

The full chain achieves pre-authentication RCE with the privileges of the GoAnywhere service account — typically running with broad filesystem and network access.

Key characteristics:

• CVSS 10.0 (maximum score) — unauthenticated, network-reachable, full impact
• Exploitable against any internet-exposed GoAnywhere admin console
• watchTowr noted uncertainty about the specific private key required for step 3; attackers may have obtained the key through other means
• Approximately 20,000 GoAnywhere MFT instances were internet-exposed at disclosure

Discovery

watchTowr Labs researchers Sonny and Piotr Bazydlo, disclosed September 18, 2025 alongside a coordinated vendor patch release.

Exploitation Context

Storm-1175 (Microsoft's tracking designation for a Medusa ransomware-affiliated operator) was actively exploiting CVE-2025-10035 before the KEV listing. Observed post-exploitation TTPs:

• .jsp webshell drops on the GoAnywhere host
• Network scanning for lateral movement targets
• Cloudflare tunnel established as command-and-control channel
• mstsc.exe invoked for RDP pivoting to adjacent hosts
• Medusa ransomware deployed as the final payload

Microsoft MSTIC documented the Storm-1175 exploitation campaign in a blog published October 6, 2025. The CISA KEV listing explicitly flags ransomwareUse: true. This is the second time GoAnywhere MFT has been mass-exploited for data theft and ransomware in two years, following the Clop CVE-2023-0669 campaign.

Remediation

1. Upgrade GoAnywhere MFT immediately — to version 7.8.4 (current release) or 7.6.3 (sustain release). Log into the admin console and check Help → About for the current version.
2. Restrict admin console access — place GoAnywhere's admin portal behind a VPN or IP allowlist; it should never be directly internet-accessible.
3. Hunt for indicators of compromise — check for unexpected .jsp files in the GoAnywhere web application directories, new administrative user accounts, and outbound connections to Cloudflare tunnel endpoints.
4. Review logs for exploitation attempts — look for requests to /goanywhere/license/Unlicensed.xhtml with unusual path suffixes and invalid ViewState values.
5. Isolate affected instances immediately if compromise is suspected; Storm-1175 moves quickly from initial access to ransomware deployment.
6. Notify your security team and legal counsel if data was accessed — GoAnywhere stores sensitive files by design; any breach likely triggers regulatory notification obligations.