Maximum severity vulnerability in GoAnywhere MFT License Servlet

On September 18, 2025, Fortra issued a security advisory disclosing a critical vulnerability in its GoAnywhere Managed File Transfer (MFT) platform. The flaw, tracked as CVE-2025-10035, resides in the License Servlet component and was discovered during a security check conducted on September 11, 2025. It was patched in GoAnywhere MFT version 7.8.4 and Sustain Release 7.6.3.

The Common Vulnerability Scoring System (CVSS) rating assigned to CVE-2025-10035 is 10.0, the highest possible severity. The vulnerability is remotely exploitable, requires no user interaction, and affects systems with publicly accessible Admin Consoles. According to Fortra, exploitation is highly dependent on internet exposure.

As of September 19, 2025, there is no confirmed public proof-of-concept (PoC) or active exploitation, but the risk remains elevated due to the nature of the flaw and its similarity to prior incidents involving GoAnywhere MFT, such as the CVE-2023-0669 that was exploited by ransomware groups.

Fortra has urged customers to immediately review configurations and remove public access to the Admin Console to reduce exposure.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

GoAnywhere MFT is widely deployed across enterprise environments to facilitate secure file transfers and maintain audit logs. Its role in handling sensitive data makes it a high-value target for threat actors.

Fortra recommends upgrading to GoAnywhere MFT version 7.8.4 or Sustain Release 7.6.3 immediately. For environments unable to apply patches, the primary mitigation is to ensure the Admin Console is not accessible over the internet. Suggested security measures include implementing network segmentation, firewall rules, and access controls to restrict exposure.

Organizations should also monitor for signs of suspicious activity and validate that no unauthorized license responses have been processed. Given the critical nature of the flaw and its potential for remote command execution, proactive defense and visibility into file transfer systems are essential.