CVE-2025-10035 is a critical vulnerability identified in Fortra's GoAnywhere Managed File Transfer (MFT) product. The vulnerability stems from improper neutralization of special elements used in a command, classified under CWE-77 (Command Injection), combined with a deserialization flaw (CWE-502). Specifically, the flaw exists in the License Servlet component of GoAnywhere MFT, where an attacker who can produce a validly forged license response signature can trigger deserialization of an arbitrary object controlled by the attacker. This deserialization process can lead to command injection, allowing the attacker to execute arbitrary system commands on the affected server. The vulnerability is remotely exploitable without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact scope is complete (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component, potentially compromising the entire system. The CVSS v3.1 base score is 10.0, reflecting critical severity with high impact on confidentiality, integrity, and availability. Exploitation could lead to full system compromise, data theft, disruption of file transfer operations, and potential lateral movement within the network. Although no known exploits are currently reported in the wild, the ease of exploitation and severity make this a high-priority issue for organizations using GoAnywhere MFT. The affected version is listed as '0', which likely indicates all versions prior to a patch or a placeholder; organizations should verify their specific versions against vendor advisories. The lack of available patches at the time of publication underscores the urgency for mitigation and monitoring.

For European organizations, the impact of CVE-2025-10035 is significant due to the widespread use of managed file transfer solutions like GoAnywhere MFT in sectors such as finance, healthcare, government, and critical infrastructure. Successful exploitation could lead to unauthorized access to sensitive data, including personal data protected under GDPR, resulting in regulatory penalties and reputational damage. The ability to execute arbitrary commands on servers could disrupt business operations by interrupting file transfer workflows, causing data loss or corruption, and enabling further attacks such as ransomware deployment or lateral movement within enterprise networks. Given the critical nature of file transfer services in supply chains and inter-organizational communications, this vulnerability could also impact third-party relationships and contractual obligations. The lack of authentication requirements for exploitation increases the risk of external attackers targeting exposed GoAnywhere MFT instances, especially those accessible over the internet. Additionally, the potential for complete system compromise elevates the threat to national critical infrastructure entities and organizations handling high-value data in Europe.

1. Immediate mitigation should include restricting network access to the GoAnywhere MFT License Servlet, ideally limiting it to trusted internal IP addresses or VPN connections to reduce exposure. 2. Implement strict input validation and monitoring on license response data, if possible, to detect anomalous or malformed license responses. 3. Employ application-layer firewalls or Web Application Firewalls (WAFs) with custom rules to detect and block suspicious deserialization or command injection attempts targeting the License Servlet endpoint. 4. Monitor logs for unusual activity related to license validation processes and command execution on the server hosting GoAnywhere MFT. 5. Coordinate with Fortra for timely patch releases and apply updates as soon as they become available. 6. Conduct a thorough inventory of all GoAnywhere MFT deployments within the organization to identify and prioritize vulnerable instances. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) signatures tailored to detect exploitation attempts of this vulnerability. 8. Educate security teams about this specific threat to ensure rapid incident response capability. 9. If feasible, isolate the GoAnywhere MFT environment from other critical systems to contain potential breaches. 10. Review and tighten overall deserialization handling practices in custom integrations or extensions related to GoAnywhere MFT.