Secure file transfer (MFT) services are a prime target for attackers. And now, GoAnywhere MFT—a widely used platform for secure data exchange—is facing a serious threat: CVE-2025-10035, a critical vulnerability that could lead to command injection with potentially devastating consequences if left unpatched.
At TecnetOne, we're breaking down what this flaw means, how it can affect your organization, and the steps you should take now to stay safe.
Discovered on September 11, 2025, and publicly disclosed on September 18, this vulnerability has been rated a perfect 10.0 on the CVSS scale—indicating maximum severity.
The issue lies in the License Servlet component of GoAnywhere MFT. Due to a deserialization flaw, an attacker can forge the signature of a valid license and trick the system into loading a malicious object. This leads to command injection—effectively granting the attacker significant control over the compromised environment.
What makes it especially dangerous:
In short: no need for sophisticated skills or for anyone to click a malicious link. If your GoAnywhere Admin Console is exposed to the internet, you're at risk.
CVE-2025-10035 (Source: SOCRadar Vulnerability Intelligence)
Organizations with their Admin Console exposed publicly are the most vulnerable. If your GoAnywhere setup is internal-only, risk is reduced—but not eliminated.
To check for possible compromise, review admin audit logs and error logs, especially for messages referencing:
SignedObject.getObject
This may indicate an attempt to load a malicious license response.
Learn more: Google Patches a Zero-Day Vulnerability in Chrome CVE-2025-6558
As of now, there are no confirmed public reports of active exploitation—but the past tells a different story.
In 2023, a previous flaw in GoAnywhere (CVE-2023-0669) was exploited by the Clop ransomware group, leading to widespread breaches.
Given this precedent, CVE-2025-10035 is a high-priority target. In fact, Shadowserver is already tracking 450+ internet-exposed instances of GoAnywhere—many likely still unpatched.
Fortra, the company behind GoAnywhere, has released patches. Here's what you should do:
At TecnetOne, we always say: delaying a critical patch is like leaving your office door wide open overnight.
It's not just about remote code execution—the context amplifies the risk:
That makes it an ideal target for ransomware groups and state-sponsored threat actors.
Read more: 8 Steps to Performing a Network Vulnerability Assessment
CVE-2025-10035 is a stark reminder of how fragile a company’s digital perimeter can be. Common issues that increase risk include:
Continuous monitoring is just as important as patching.
GoAnywhere MFT instances exposed over the internet (Source: Shadowserver)
Besides patching and mitigating access, we recommend strengthening your defenses with these actions:
At TecnetOne, we can help you build these layers of defense—not just for this threat, but for the next ones to come.
CVE-2025-10035 in GoAnywhere MFT is not a routine advisory—it’s a critical, remotely exploitable vulnerability with no user interaction needed and maximum CVSS severity.
There may not be confirmed exploits yet, but attackers move fast. That’s why immediate action is essential: patch the system, restrict unnecessary access, and reinforce your monitoring.
At TecnetOne, we believe that prevention is the best defense. In a world where cybercriminals work 24/7, your speed of response could be the only thing standing between a blocked attack—or a multimillion-dollar breach.