GoAnywhere MFT - RCE (CVE-2025-10035)

CVE-2025-10035 is a critical deserialization vulnerability in Fortra's GoAnywhere MFT License Servlet that lets an unauthenticated attacker present a forged license response to force the server to deserialize attacker-controlled objects, potentially resulting in command injection and remote code execution.

CrowdSec has been tracking this vulnerability and its exploits since 24th of September 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2025-10035 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-10035 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-10035 is currently experiencing high visibility and active exploitation across the internet.

Attackers trigger the unlicensed activation flow (e.g., /goanywhere/license/Unlicensed.xhtml with GARequestAction=activate) to obtain a session-linked token/UUID and then POST a crafted bundle to the license accept endpoint (/goanywhere/lic/accept/<GUID>). The server deserializes that bundle, allowing attacker-controlled objects to execute on the server.