Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands.

The vulnerability, tracked as CVE-2025-10035 , carries a CVSS score of 10.0, indicating maximum severity.

"A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection," Fortra said in an advisory released Thursday.

The company also noted that successful exploitation of the vulnerability is dependent on the system being publicly accessible over the internet.

Users are advised to update to the patched release – version 7.8.4, or the Sustain Relea

See Full Page