COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2025-10035

CVE-2025-10035

Severity
critical · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2025-09-29
Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-10035
⚡ RCE ⌖ exploited in the wild shame 85/100 ransomwarerceexploited-in-wildunpatched

Fortra GoAnywhere MFT suffered a deserialization vulnerability allowing command injection via forged license signatures, linked to ransomware.

An actor with a forged license signature could deserialize arbitrary objects in Fortra GoAnywhere MFT, leading to command injection and potential ransomware deployment. DIB organizations must patch this critical KEV vulnerability immediately to prevent supply-chain compromise and data exfiltration. The failure stems from unpatched deserialization flaws that attackers actively exploited in the wild.

Shame score — A critical deserialization flaw enabling command injection was actively exploited in the wild and linked to ransomware, indicating severe negligence in patching known vulnerabilities.

Players implicated

Fortra · vendorGoAnywhere MFT · product

Description

Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.