Summary

A critical deserialization vulnerability (CVE‑2025‑10035) was recently discovered in Fortra’s GoAnywhere MFT product, specifically in the License Response Servlet. This vulnerability issue allows an actor who presents a forged license response signature to deserialize an attacker‑controlled object, which can lead to remote code execution (RCE). GoAnywhere MFT is an enterprise managed file transfer solution, and it has been exploited in the past via CVE-2023-0699. While no exploitation has been seen in the wild as of yet; the previous vulnerability was seen being exploited by ransomware groups and actors such as Cl0p, who specifically target MFT solutions. Exploitation is highly dependent on the admin console for GoAnywhere being publicly facing.

Affected Systems and/or Applications

The affected systems are GoAnywhere MFT previous to patch 7.8.4 and GoAnywhere Sustain prior to patch 7.6.3.

Technical Details

The vulnerability follows a chain for an attempt at proper execution, though none is known at this time.‍

License Response Servlet & deserialization sink
‍The LicenseResponseServlet, endpoint at /goanywhere/lic/accept/<GUID>, takes a bundle parameter from HTTP POST. In its flow, after validating a license request token (GUID vs session), it calls into LicenseAPI.getResponse(bundle), which eventually leads to deserialization of a java.security.SignedObject, and potentially inner objects.‍

Token / Session-based validation
‍The servlet checks: SessionUtilities.isLicenseRequestTokenValid(var5, var1.getSession()) where var5 is extracted from URI, and session has a matching token. If invalid, it errors out. Only with valid token can execution reach LicenseAPI.getResponse (the deserialization logic).‍

Authentication bypass / obtaining valid token without credentials
‍watchTowr discovered that one can hit /goanywhere/license/Unlicensed.xhtml with malformed inputs (for example, appending /x to the URL, supplying invalid javax.faces.ViewState, setting GARequestAction=activate), which triggers an error flow to the AdminErrorHandlerServlet. This path causes a valid license request token to be generated and assigned to the session even without prior authentication.

Hard‑coded keys and signed objects
‍The bundle parameter contains a serialized Java object, which is encrypted with hard‑coded keys and signed (or expected to be signed). Decryption of the bundle even offline can recover the embedded GUID. The server deserializes a SignedObject (or byte[]), then does a signature verification using a public key, then extracts the inner object via getObject(). The inner object is attacker‑controlled; if a gadget chain exists then remote code execution may be possible.

It is important to note that the patch replaces SignedObject.getObject with a wrapper deserializeUntrustedSignedObject in the deserialization flow, adding extra safety checks around what gets deserialized. However, the signature verification logic remains unchanged in the initial patch. So there may still be concerns over whether the signature check is bypassable or if a compromised private key could allow for the signing of malicious payloads.

Mitigation

Forta has patched this out in GoAnywhere MFT version 7.8.4, and GoAnywhere MFT Sustain version 7.6.3. They highly advise updating to the current patches for the applicable systems. It is also advised to not have the GoAnywhere Admin Console publicly accessible, this reduces the attack surface significantly without prior compromise. Additionally audit logs can be searched for the key signatures of exploitation: specifically, for exception traces involving SignedObject.getObject, deserialization errors, or suspicious license response flows.

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is actively engaged in monitoring the situation surrounding the Forta GoAnywhere vulnerability. An advisory update will be issued if new indicators, techniques, or escalations are identified that could further impact affected systems or require additional mitigation steps.

References

• https://www.fortra.com/security/advisories/product-security/fi-2025-012?ref=labs.watchtowr.com
• https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/