CVE-2025-10035 Scanner

The scanner checks the GoAnywhere MFT software for vulnerabilities. GoAnywhere is used by organizations for secure file transfers, ensuring data is exchanged securely between systems and partners. Administrators and IT departments primarily utilize it to automate and manage file transfers in a secure environment. Its adaptability makes it an essential tool in various industries, supporting multiple protocols for seamless interoperability. Maintaining the security and efficiency of file transfers is crucial for businesses that rely on the uninterrupted flow of information. Users depend on GoAnywhere to prevent unauthorized access and data leaks during these transfers.

The vulnerability detected is an insecure deserialization issue within GoAnywhere's License Servlet. This flaw arises when attacker-controlled objects are deserialized, potentially leading to command injection. An attacker can exploit this by providing a valid forged license response signature, which the system deserializes without proper validation. As a result, it presents a critical security risk by potentially allowing remote code execution. Once exploited, this vulnerability could lead to unauthorized access and control over the system.

Technical details involve the vulnerable endpoints being susceptible to deserializing untrusted inputs with attacker-crafted signatures. The exploitation process requires attackers to identify and interact with specific endpoints, such as `/goanywhere/license/Unlicensed.xhtml` or `/license/Unlicensed.xhtml`, using specially crafted requests. These requests may manipulate parameters like `javax.faces.ViewState` and `GARequestAction` to trigger the deserialization flaw. Successful exploitation is apparent when the server redirection includes specific indicators, suggesting vulnerable behavior.

Exploiting this vulnerability could result in severe consequences. Attackers could execute arbitrary commands on the affected system, leading to a complete system compromise. This can jeopardize data integrity and allow unauthorized access to sensitive information. Furthermore, it could disrupt operations, resulting in downtime and significant operational impact. As a result, it emphasizes the importance of addressing this vulnerability promptly to avoid exploitation.

REFERENCES

• https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/
• https://attackerkb.com/topics/LbA9ANjcdz/cve-2025-10035/rapid7-analysis
• https://www.fortra.com/security/advisories/product-security/fi-2025-011