Vulnerability Database

309,540

Total vulnerabilities in the database

CVE-2025-10035

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

Published: Sep 18, 2025
Updated: Nov 16, 2025
CVE: CVE-2025-10035
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 10
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWEs:

CWE-502
CWE-77

OWASP TOP 10:

A8 - Insecure Deserialization
A1 - Injection

Affected Software
References

Software	From	Fixed in
fortra / goanywhere_managed_file_transfer	-	7.6.3
fortra / goanywhere_managed_file_transfer	7.7.0	7.8.4

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10035
https://www.fortra.com/security/advisories/product-security/fi-2025-012

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo