Unrated severityCISA KEVNVD Advisory· Published Sep 18, 2025· Updated Feb 26, 2026
Deserialization Vulnerability in GoAnywhere MFT's License Servlet
CVE-2025-10035
Description
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: 0
Patches
Vulnerability mechanics
References
1News mentions
2- Storm-1175 Exploits Flaws in High-Velocity Medusa AttacksInfosecurity Magazine · Apr 7, 2026
- Risky Business #809 -- Hackers try to pay a journalist for access to the BBCRisky Business · Oct 1, 2025