[German]A vulnerability classified as critical was discovered in Fortra's GoAnywhere MFT file transfer software on September 11, 2025. The manufacturer has since released an update to eliminate the vulnerability and make file transfer secure again. Users should react immediately an shall make sure, that the Admin console isn't reachable from internet.
Advertising
GoAnywhere MFT is, according to the manufacturer Fortra, a secure FTP functions for companies to protect their files. It advertises that it enables easy connection to external cloud and web applications.
On September 11, 2025, a deserialization vulnerability was found in the license servlet of Fortras GoAnywhere MFT. This allows an attacker with a validly forged license response signature to deserialize any object controlled by the attacker. This could potentially lead to command injection.
Vulnerability CVE-2025-10035 has been assigned a CVSS 3.1 score of 10.0 and is classified as critical. The manufacturer has published this security advisory. Users should immediately ensure that access to the GoAnywhere Admin Console is not publicly available. This is because exploitation of this vulnerability depends to a large extent on systems being accessible externally via the Internet. Furthermore, an upgrade to a patched version (the latest version 7.8.4 or Sustain Release 7.6.3) should be performed. (via)
Advertising
