Critical CVSS 10 Flaw in GoAnywhere File Transfer Threatens 20,000 Systems

Thousands of companies using Fortra’s GoAnywhere Managed File Transfer (MFT) solution are facing an immediate threat of full system takeover. The issue, officially labelled CVE-2025-10035 and published on September 18, 2025, carries the maximum risk score of 10.0, meaning criminals could gain complete control of systems designed to handle sensitive organisational data.

****What’s the Risk?****

This critical problem is rooted in Fortra’s GoAnywhere MFT’s License Servlet, a component that deals with license checks. It is essentially a deserialization vulnerability. To put it simply, MFT solutions are used by businesses to safely and reliably move large amounts of electronic data (like customer records/financial information) between systems. The software converts complex data into a simple format for transfer (serialisation) and then converts it back (deserialization).

The flaw allows a malicious person to trick the software during the reversal (deserialization) process by using a “validly forged license response signature” to load a harmful object, Fortra’s advisory explains. This can lead to command injection, letting an attacker run their own code on the system.

For your information, GoAnywhere MFT is a high-security solution that automates and protects data exchange for enterprises, including Fortune 500 deployments. So, this flaw may let an attacker seize the entire file transfer infrastructure, risking highly sensitive corporate and government data.

According to long technical analysis from watchTowr Labs, shared with Hackread.com, highlighted the gravity of the situation, noting that there are “over 20,000 instances exposed to the Internet. A playground APT groups dream about.”

Source: watchTowr Labs

Their analysis points to a significant mystery: despite the perfect CVSS 10.0 score, exploiting the bug appears difficult on paper due to a required signature verification check. Yet, the high score, combined with the vendor deleting and updating advisories, suggests the threat is very real as “no vendor assigns a CVSS 10 to a purely theoretical bug.”

This isn’t the first time we’ve seen this; back in 2023, a similar pre-authentication command injection flaw (CVE-2023-0669) in the same product was widely exploited by the cl0p ransomware gang.

****Immediate Action Needed to Protect Data****

The good news is that Fortra has released updates in version 7.8.4 and Sustain Release 7.6.3 to fix the flaw. Organisations are strongly urged to upgrade to one of these patched versions right away.

It is worth noting that this attack relies on the system being directly connected to the public internet, a situation common for these kinds of software. Therefore, as an additional safeguard, administrators should immediately ensure the GoAnywhere Admin Console is not open to the public. Limiting access by placing the service behind a firewall or a VPN is a vital first step, along with monitoring system logs for any unusual activity.

Ryan Dewhurst, a threat intelligence expert at watchTowr, considers this extremely serious, saying, “This issue is almost certain to be weaponised for in-the-wild exploitation soon.”

“The newly disclosed vulnerability in Fortra’s GoAnywhere MFT solution impacts the same license code path in the Admin Console as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit,“ he emphasised.

“With thousands of GoAnywhere MFT instances exposed to the Internet, this issue is almost certain to be weaponised for in-the-wild exploitation soon,“ Ryan warned.

“While Fortra notes exploitation requires external exposure, these systems are generally Internet-facing by design, so organisations should assume they are vulnerable. Organisations should apply the official patches immediately and take steps to restrict external access to the Admin Console,” Dewhurst noted in his comments shared with Hackread.com.