VYPR
Unrated severityCISA KEVNVD Advisory· Published Sep 18, 2025· Updated Feb 26, 2026

Deserialization Vulnerability in GoAnywhere MFT's License Servlet

CVE-2025-10035

Description

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

Affected products

2

Patches

Vulnerability mechanics

References

1

News mentions

2