Exposures › CVE-2025-10035
Fortra GoAnywhere MFT suffered a deserialization vulnerability allowing command injection via forged license signatures, linked to ransomware.
An actor with a forged license signature could deserialize arbitrary objects in Fortra GoAnywhere MFT, leading to command injection and potential ransomware deployment. DIB organizations must patch this critical KEV vulnerability immediately to prevent supply-chain compromise and data exfiltration. The failure stems from unpatched deserialization flaws that attackers actively exploited in the wild.
Shame score — A critical deserialization flaw enabling command injection was actively exploited in the wild and linked to ransomware, indicating severe negligence in patching known vulnerabilities.
Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
No correlated FedRAMP products.