Secure file transfer (MFT) services are a prime target for attackers. And now, GoAnywhere MFT—a widely used platform for secure data exchange—is facing a serious threat: CVE-2025-10035, a critical vulnerability that could lead to command injection with potentially devastating consequences if left unpatched.
At TecnetOne, we're breaking down what this flaw means, how it can affect your organization, and the steps you should take now to stay safe.
What Is CVE-2025-10035?
Discovered on September 11, 2025, and publicly disclosed on September 18, this vulnerability has been rated a perfect 10.0 on the CVSS scale—indicating maximum severity.
The issue lies in the License Servlet component of GoAnywhere MFT. Due to a deserialization flaw, an attacker can forge the signature of a valid license and trick the system into loading a malicious object. This leads to command injection—effectively granting the attacker significant control over the compromised environment.
What makes it especially dangerous:
- It’s remotely exploitable
- Requires no user interaction
- Is low complexity to execute
In short: no need for sophisticated skills or for anyone to click a malicious link. If your GoAnywhere Admin Console is exposed to the internet, you're at risk.
.webp?width=1912&height=994&name=CVE-2025-10035%20(SOCRadar%20Vulnerability%20Intelligence).webp)
CVE-2025-10035 (Source: SOCRadar Vulnerability Intelligence)
Who Is at Risk?
Organizations with their Admin Console exposed publicly are the most vulnerable. If your GoAnywhere setup is internal-only, risk is reduced—but not eliminated.
To check for possible compromise, review admin audit logs and error logs, especially for messages referencing:
SignedObject.getObject
This may indicate an attempt to load a malicious license response.
Learn more: Google Patches a Zero-Day Vulnerability in Chrome CVE-2025-6558
Is the Vulnerability Being Exploited?
As of now, there are no confirmed public reports of active exploitation—but the past tells a different story.
In 2023, a previous flaw in GoAnywhere (CVE-2023-0669) was exploited by the Clop ransomware group, leading to widespread breaches.
Given this precedent, CVE-2025-10035 is a high-priority target. In fact, Shadowserver is already tracking 450+ internet-exposed instances of GoAnywhere—many likely still unpatched.
How to Protect Yourself
Fortra, the company behind GoAnywhere, has released patches. Here's what you should do:
- Update immediately to GoAnywhere MFT version 7.8.4, or at minimum, Sustain Release 7.6.3
- Restrict external access to the Admin Console if you can’t patch right away
- Monitor logs for anomalies, especially those related to SignedObject.getObjec
- Stay up to date with Fortra’s security bulletins for ongoing updates
At TecnetOne, we always say: delaying a critical patch is like leaving your office door wide open overnight.
Why This Vulnerability Is So Severe
It's not just about remote code execution—the context amplifies the risk:
- GoAnywhere MFT is used to move high-value, sensitive data
- A breach can expose financial info, customer records, and IP
- MFT platforms often connect to multiple internal systems, making lateral movement easy for attackers
That makes it an ideal target for ransomware groups and state-sponsored threat actors.
Read more: 8 Steps to Performing a Network Vulnerability Assessment
A Reminder: Your Attack Surface Is Always Changing
CVE-2025-10035 is a stark reminder of how fragile a company’s digital perimeter can be. Common issues that increase risk include:
- Leaving admin interfaces publicly accessible
- Delaying patching
- Forgetting about “abandoned” but still-active services
Continuous monitoring is just as important as patching.
GoAnywhere MFT instances exposed over the internet (Source: Shadowserver)
What You Can Do Right Now
Besides patching and mitigating access, we recommend strengthening your defenses with these actions:
- Automate vulnerability scanning to detect issues proactively
- Segment your network to contain breaches if they occur
- Train your IT and security teams to spot early warning signs
- Develop an incident response plan so you can act quickly if needed
At TecnetOne, we can help you build these layers of defense—not just for this threat, but for the next ones to come.
Final Thoughts
CVE-2025-10035 in GoAnywhere MFT is not a routine advisory—it’s a critical, remotely exploitable vulnerability with no user interaction needed and maximum CVSS severity.
There may not be confirmed exploits yet, but attackers move fast. That’s why immediate action is essential: patch the system, restrict unnecessary access, and reinforce your monitoring.
At TecnetOne, we believe that prevention is the best defense. In a world where cybercriminals work 24/7, your speed of response could be the only thing standing between a blocked attack—or a multimillion-dollar breach.