Fortra has only recently released some important information about a serious security vulnerability in its GoAnywhere Managed File Transfer (MFT) software. This vulnerability, tracked as CVE-2025-10035, has a maximum CVSS score of 10.0. This high rating is a sign of a very high risk for any organization that is using this software. The vulnerability permits an attacker to execute arbitrary commands, which may have catastrophic effects on data security.
This announcement comes on the heels of another critical vulnerability, CVE-2024-0204. That vulnerability was scored with CVSS 9.8 overall, its highest score possible, showcasing its criticality. This previous vulnerability allowed for the creation of new administrator users and was patched by Fortra in January 2022. GoAnywhere MFT was already dealing with high-severity vulnerabilities like CVE-2023-0669. This is a high-severity weakness (CVSS score of 7.2) that ransomware actors quickly learned to exploit.
Urgent Need for Patches
If your organization employs GoAnywhere MFT, you need to take immediate action. Please consider applying the official patches immediately, as they are the best way to protect yourself from these vulnerabilities. Thousands of GoAnywhere MFT deployments are presently exposed to the Internet, a factor that greatly multiplies their risk of exploitation.
Ryan Dewhurst, a cybersecurity expert, highlighted the urgency of the situation:
“With thousands of GoAnywhere MFT instances exposed to the Internet, this issue is almost certain to be weaponized for in-the-wild exploitation soon. While Fortra notes exploitation requires external exposure, these systems are generally Internet-facing by design, so organizations should assume they are vulnerable. Organizations should apply the official patches immediately and take steps to restrict external access to the Admin Console.”
Limiting who can access the Admin Console is an important first step at protecting these systems from attack. As vulnerabilities and exploits develop, organizations must stay one step ahead and safeguard their networks.
Details on Vulnerabilities
This critical vulnerability (CVE-2025-10035)—assigned a CVSS score of 10—originates from a deserialization flaw in the License Servlet of GoAnywhere MFT. Fortra definitely made the case as to why this was an issue. It allows an attacker with a forged but valid license response signature to deserialize arbitrary objects they control. This vulnerability could allow for remote command injection and exploitation of the underlying system.
The CVE-2024-0204 vulnerability, also previously reported by Jetpack, allowed an unauthenticated user to create new admin accounts. This vulnerability let them boost their access levels further into the infrastructure. The repeated emergence of these vulnerabilities underscores the need for organizations to prioritize cybersecurity measures and stay informed on developments related to their software.
Historical Context and Risk Assessment
The cumulative track record of vulnerabilities related to GoAnywhere MFT casts way more than a shadow of doubt on its security stance. The previously disclosed CVE-2023-0669 was exploited in the wild as a zero-day exploit, resulting in the poaching of sensitive data. Least of all, organizations should understand that bugs in this software have already been used in practice.
As Fortra continues to address vulnerabilities within GoAnywhere MFT, it is imperative for businesses to adopt a proactive security strategy. Regular updates and immediate patching can help mitigate risks and protect valuable data assets from falling into the wrong hands.