Overview

• CVE-2025-10035 (CVSS 10) is a deserialization flaw in the license servlet that can allow a forged license response to trigger command injection and potential remote code execution.
• Fortra fixed the issue in GoAnywhere MFT 7.8.4 and Sustain 7.6.3, noting that successful exploitation largely depends on externally exposed systems.
• As of September 22, neither Fortra nor Rapid7 has seen confirmed in-the-wild exploitation or public exploit code for this vulnerability.
• Fortra advises removing public access to the Admin Console and monitoring Admin Audit logs for exception traces containing “SignedObject.getObject,” which may indicate impact.
• Security researchers highlight strong similarities to the widely exploited 2023 CVE-2023-0669 incident involving Clop and expect attackers to attempt weaponization soon.