Unrated severityCISA KEVNVD Advisory· Published Sep 18, 2025· Updated Feb 26, 2026

Deserialization Vulnerability in GoAnywhere MFT's License Servlet

CVE-2025-10035

Description

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

Affected products

Fortra/GoAnywhere MFTv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.fortra.com/security/advisories/product-security/fi-2025-012mitre

News mentions

Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks
Infosecurity Magazine · Apr 7, 2026

cvss	0.000
epss	0.048
exploit	0.000
kev	0.120
patch	0.000
ransomware	0.060