CVE-2025-10035

CRITICAL KEV RANSOMWARE NUCLEI

Fortra GoAnywhere MFT < 7.6.3 - Deserialization of Untrusted Data via License Servlet

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-10035 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 29, 2025, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including rxerium, ThemeHackers, orange0Mint. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a Nuclei template to detect vulnerable GoAnywhere MFT instances by extracting version numbers from the login page and matching against affected version ranges. It does not include an exploit but serves as a detection tool.

Description

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

Exploits (4)

nomisec SCANNER 19 stars
by rxerium · poc
https://github.com/rxerium/CVE-2025-10035

This repository provides a Nuclei template to detect vulnerable GoAnywhere MFT instances by extracting version numbers from the login page and matching against affected version ranges. It does not include an exploit but serves as a detection tool.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GoAnywhere MFT
No auth needed
Prerequisites: Access to the target's login page
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by ThemeHackers · poc
https://github.com/ThemeHackers/CVE-2025-10035

This repository contains a scanner for CVE-2025-10035, which checks for vulnerable versions of GoAnywhere Managed File Transfer (MFT). The script identifies versions within specific ranges (7.7.0 to 7.8.4 and below 7.6.3) and reports vulnerability status.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GoAnywhere Managed File Transfer (MFT)
No auth needed
Prerequisites: Network access to the target GoAnywhere MFT instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab SCANNER
by ThemeHackers · poc
https://gitlab.com/ThemeHackers/CVE-2025-10035

This repository contains a Python-based scanner for CVE-2025-10035, which checks for vulnerable versions of GoAnywhere Managed File Transfer (MFT) by analyzing HTTP responses. It does not include exploit code but identifies vulnerable versions through version detection.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GoAnywhere Managed File Transfer (MFT) versions 7.7.0 to 7.8.4 and below 7.6.3
No auth needed
Prerequisites: Network access to the target GoAnywhere MFT instance
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec SCANNER
by orange0Mint · poc
https://github.com/orange0Mint/CVE-2025-10035_GoAnywhere

This repository contains a Python-based scanner to detect whether a GoAnywhere instance is vulnerable to CVE-2025-10035 by checking for the presence of a 'bundle' query parameter in the redirect URL. It does not exploit the vulnerability but only checks for its presence.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GoAnywhere (version not specified)
No auth needed
Prerequisites: Network access to the target GoAnywhere instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

GoAnywhere - Authentication Bypass
CRITICALVERIFIEDby DhiyaneshDk,watchtowr
Shodan: title:"GoAnywhere"
FOFA: title="GoAnywhere"

References (2)

Core 2

Scores

CVSS v3 10.0
EPSS 0.6224
EPSS Percentile 98.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-09-29
VulnCheck KEV 2025-09-25
ENISA EUVD EUVD-2025-30225
Ransomware Use Confirmed
CWE
CWE-502 CWE-77
Status published
Products (1)
fortra/goanywhere_managed_file_transfer < 7.6.3
Published Sep 18, 2025
KEV Added Sep 29, 2025
Tracked Since Feb 18, 2026