Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet

Fortra disclosed a critical vulnerability (CVE-2025-10035) in the GoAnywhere Managed File Transfer (MFT) platform’s License Servlet that enables remote command injection through deserialization of untrusted data. The flaw can be exploited in low-complexity attacks without user interaction if the admin console is exposed to the internet, potentially allowing full compromise of systems used to handle sensitive enterprise data.

This disclosure follows a history of high-profile exploitation of GoAnywhere MFT, most notably Clop ransomware’s 2023 campaign leveraging a separate zero-day that affected more than 130 organizations. The recurrence of critical vulnerabilities in secure file transfer platforms underscores their attractiveness to threat actors, given their role in handling sensitive data flows. While active exploitation of CVE-2025-10035 has not been observed yet, the combination of broad enterprise adoption and adversary precedent makes the flaw strategically significant