Critical GoAnywhere MFT Vulnerability Allows Unauthorized Access
A critical security vulnerability, CVE-2025-10035, has been discovered in GoAnywhere MFT, a popular file transfer solution developed by Fortra. This flaw, rated 10.0 on the CVSS scale, allows attackers to bypass license validation and gain unauthorized access. Fortra urges immediate action to mitigate the risk.
The vulnerability, first exploited in September 2025, resides in the license validation mechanism of GoAnywhere MFT. Attackers can forge a malicious license response, bypassing validation checks and potentially leading to unauthorized remote code execution, data exfiltration, and persistent access. Organizations may also face delayed detection.
Fortra recommends several steps to mitigate the risk. Firstly, users should update to the latest version, GoAnywhere MFT 7.8.4, or sustain release 7.6.3. Additionally, Fortra suggests enhancing security monitoring, reviewing access controls, preparing incident response plans, and engaging with Fortra for further mitigation strategies.
Bitsight Cyber Threat Intelligence supports organizations by identifying external signals of exposure, alerting on threat actor chatter, and delivering risk insights. This helps in proactive threat management and timely response to potential attacks.
The CVE-2025-10035 vulnerability in GoAnywhere MFT poses a significant risk to organizations. While limited in-the-wild exploitation has been reported, active discussions on cybercriminal forums indicate growing interest and potential broader exploitation. Fortra's recommendations provide a roadmap for users to protect their systems. Regular updates, robust security measures, and proactive threat intelligence are key to mitigating this critical vulnerability.
