The most recent critical deserialization vulnerability, CVE-2025-10035, was found in Fortra’s License Servlet. This serious flaw provides an attractive target for any entity employing the GoAnywhere admin console. It permits potential remote command injection without authentication. Security researchers Sonny Macdonald and Piotr Bazydlo have walked through this vulnerability in a highly technical analysis. It especially refers to the case of the path for “/goanywhere/license/Unlicensed.xhtml/” endpoint.
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) verified that attackers are still actively exploiting CVE-2025-10035. This announcement should sound major alarms regarding the vulnerability’s severity and its possible implications. The vulnerability can allow attackers to take control of private keys owned by Fortra itself. This increase largely compounds the dangerous threats that the organizations targeted face.
Details of the Vulnerability
3 CVE-2025-10035 7.9 – License Servlet In general, the License Servlet (com.linoma.ga.ui.admin.servlet) is the primary target of CVE-2025-10035. An attacker can exploit this vulnerability by sending a specially crafted HTTP GET request, which triggers the interaction with the License Servlet. The quick ease of exploitation is what makes this flaw especially dangerous for anybody on the internet that has a GoAnywhere admin console exposed.
As detailed in the analysis released by watchTowr, the vulnerability’s effects go well beyond just basic data breaches. It is a big risk to companies that don’t know they are vulnerable.
“CVE-2025-10035 is primarily relevant to organizations with a GoAnywhere admin console exposed to the internet. Upon identifying the vulnerability, we immediately notified those customers and continue to provide direct updates and support. Our investigation is ongoing, and our security advisory outlines what organizations need to know based on current findings. We will provide additional information as it becomes available.” – Fortra
This flaw is quite serious, underscored by its CVSS score of top severity, 10.0. Yet, no actual value has been provided.
Response from Security Experts
Benjamin Harris, CEO and Founder of watchTowr, shared these concerns about Fortra’s response to this vulnerability. He highlighted that the world’s largest company didn’t lead with their best foot. It was alarming enough that the in-the-wild exploitation began Sept. 10, 2025.
“We continue to be confused as to why Fortra is not advising customers of what appears to be clear evidence of in-the-wild exploitation since at least September 10th.” – Benjamin Harris
Harris stressed that Fortra should be clear about how quickly this vulnerability should be addressed. He urged Fortra to be more transparent about the severity of the crisis. Are actions really required right away, or can customers delay patching until the end of the year?
“CISA’s addition of these vulnerabilities to the exclusive KEV list only adds to this confusion. We urge Fortra to share their viewpoint and would encourage customers to ask Fortra what they should be doing with regards to patching cycles. Is this urgent, or can it wait until Christmas?” – Benjamin Harris
Ongoing Developments and Mitigation Steps
Given the severity of the vulnerabilities points from CVE-2025-10035, Fortra has issued a Critical Patch for the vulnerability. The possibility of its misuse remains an ongoing point of concern for cybersecurity professionals and company executives.
Employers are still processing the impact of this newly discovered vulnerability. They have to remain on high alert by constantly monitoring their systems and installing updates as needed. watchTowr and other security experts are still performing a forensic investigation. Their mission is to reveal all the possible risk CVE-2025-10035 might pose.
Harris further noted the critical nature of this flaw:
“This is not ‘just’ a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators – it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025.” – Benjamin Harris