Fortra discloses 10/10 severity bug in GoAnywhere MFT

Fortra discloses 10/10 severity bug in GoAnywhere MFT

Briefly

"Budding ransomware crooks have another shot at exploiting Fortra's GoAnywhere MFT product now that a new 10/10 severity vulnerability needs patching. The vendor issued an advisory for CVE-2025-10035 on Thursday, saying successful exploitation can potentially lead to command injection. Fortra's advisory states "a deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.""

"It comes more than two years after the vendor issued patches for CVE-2023-0669 (7.2) - a similar vulnerability affecting the License Servlet of GoAnywhere MFT as a Service, also leading to command injection. Reg readers may remember the vulnerability being exploited by criminals working for LockBit and Black Basta - two of the most prolific ransomware crews of their time. Months after discovering the flaw in January 2023, Fortra's own assessment confirmed CVE-2023-0669 was exploited as a zero-day between January 18-31, 2023, by unspecified attackers."

"Customers were contacted directly and urged to rotate all keys, master keys, and credentials, and scan logs for suspicious admin accounts that should be deleted. This time around, Fortra is encouraging customers to either upgrade to a patched version - either the latest release, 7.8.4, or the Sustain Release 7.6.3 - or to apply the mitigation, which involves ensuring the product's admin console isn't publicly exposed to the web. "Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet," it said in the advisory."