A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
The attacker forges the license response signature in such a way that it passes server-side verification. The crafted response contains a maliciously constructed serialized object that the License Servlet deserializes without proper content validation (CWE-502). The deserialization operation leads to command injection (CWE-77), enabling execution of arbitrary system commands in the context of the application server. The vulnerability requires no authentication or user interaction, and its scope of impact extends beyond the application itself (Scope: Changed).
An attacker can gain full control over the server — execute arbitrary operating system commands, access stored files and data (including those transferred via MFT), and compromise the integrity and availability of the system.
Security patches available from the vendor must be applied immediately in accordance with the official Fortra advisory (fi-2025-012). Due to confirmed active exploitation by CISA KEV, the update should be treated as a priority. Until the patch is deployed, consider restricting network access to the License Servlet and monitoring anomalous requests directed to this component.
Fortra GoAnywhere Managed File Transfer — versions indicated in vendor references (advisory fi-2025-012 on fortra.com).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HFortra Goanywhere Managed File Transfer
APPFortra< 7.6.37.7.0 – 7.8.4 (bez)
CISA KEV — detailsi
- Vendori
- Fortra
- Producti
- GoAnywhere MFT
- Added to KEVi
- September 29, 2025
- Remediation deadline (US Federal)i
- October 20, 2025(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
Related vulnerabilities
Pominięcie uwierzytelniania w Fortra GoAnywhere MFT — tworzenie konta admina
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerabilit...
The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User...
Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2...
An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configure...