Critical Deserialization Flaw in Fortra GoAnywhere MFT Poses Severe Risk to 20,000 Systems

A critical deserialization vulnerability (CVE-2025-10035) with a CVSS score of 10.0 has been discovered in the License Servlet component of Fortra GoAnywhere MFT, a managed file transfer solution. This flaw allows command injection, posing a severe risk to approximately 20,000 systems. The vulnerability is being actively exploited, making immediate patching to version 7.8.4 essential to prevent system takeover. This vulnerability is reminiscent of previous critical flaws in GoAnywhere MFT, such as CVE-2023-0669, which was exploited by ransomware groups like Cl0p. The impact on the cybersecurity landscape is significant, as unpatched systems are at high risk of compromise. Organizations must prioritize patching and review their networks for signs of exploitation. Additionally, they should enhance monitoring and detection measures to mitigate potential threats. This incident underscores the importance of timely vulnerability management and proactive cybersecurity measures.