Overview

• Patches are available in GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 following a September 11 internal security check that flagged the issue.
• CVE-2025-10035 targets the License Servlet via deserialization of a forged license response, enabling possible command injection.
• Fortra advises customers who cannot immediately upgrade to ensure the Admin Console is not reachable from the public web.
• No in-the-wild exploitation has been confirmed, though researchers at watchTowr warn the bug is likely to be weaponized.
• Shadowserver is tracking more than 470 GoAnywhere instances on the internet, and prior License Servlet flaws such as CVE-2023-0669 were exploited by ransomware operators.