CVE-2025-10035

CRITICAL KEV RANSOMWARE NUCLEI

Fortra Goanywhere Managed File Transfer < 7.6.3 - Command Injection

Title source: rule

Description

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

Exploits (4)

nomisec SCANNER 19 stars

by rxerium · poc

https://github.com/rxerium/CVE-2025-10035

View Code ZIP pw:eip

nomisec SCANNER 1 stars

by ThemeHackers · poc

https://github.com/ThemeHackers/CVE-2025-10035

View Code ZIP pw:eip

gitlab SCANNER

by ThemeHackers · poc

https://gitlab.com/ThemeHackers/CVE-2025-10035

View Code ZIP pw:eip

nomisec SCANNER

by orange0Mint · poc

https://github.com/orange0Mint/CVE-2025-10035_GoAnywhere

View Code ZIP pw:eip

Nuclei Templates (1)

GoAnywhere - Authentication Bypass

CRITICALVERIFIEDby DhiyaneshDk,watchtowr

Shodan: title:"GoAnywhere"

FOFA: title="GoAnywhere"

References (2)

[Vendor Advisory] https://www.fortra.com/security/advisories/product-security/fi-2025-012

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10035

Scores

CVSS v3 10.0

EPSS 0.4956

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CISA KEV 2025-09-29

VulnCheck KEV 2025-09-25

ENISA EUVD EUVD-2025-30225

Ransomware Use Confirmed

CWE

CWE-502 CWE-77

Status published

Products (1)

fortra/goanywhere_managed_file_transfer < 7.6.3

Published Sep 18, 2025

KEV Added Sep 29, 2025

Tracked Since Feb 18, 2026