GoAnywhere MFT - RCE (CVE-2025-10035)

CVE-2025-10035 is a critical deserialization vulnerability in Fortra's GoAnywhere MFT License Servlet that lets an unauthenticated attacker present a forged license response to force the server to deserialize attacker-controlled objects, potentially resulting in command injection and remote code execution.

CrowdSec has been tracking this vulnerability and its exploits since 24th of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-10035 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. In addition, according to the CrowdSec network, attack volume against CVE-2025-10035 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers trigger the unlicensed activation flow (e.g., /goanywhere/license/Unlicensed.xhtml with GARequestAction=activate) to obtain a session-linked token/UUID and then POST a crafted bundle to the license accept endpoint (/goanywhere/lic/accept/<GUID>). The server deserializes that bundle, allowing attacker-controlled objects to execute on the server.