Summary of the Investigation Related to CVE-2025-10035

Posted on October 9, 2025

We have completed our investigation of suspicious activity related to our Fortra GoAnywhere MFT solution that resulted in CVE-2025-10035. This post summarizes our findings.  

What Happened: 

On Sept. 11, 2025, we began investigating a potential vulnerability reported by a customer. 

After identifying the issue, Fortra developed and released hotfixes for supported versions and updated the product to further secure the affected component. We also notified all Fortra GoAnywhere MFT customers of the available updates and mitigation steps.  

The timeline below provides an overview of our investigation, remediation, and customer communications. 

Sept. 11: Suspicious activity reported, investigation begins  

  • Our investigation focused on three primary paths: We inspected customer logs, researched the exposure of on-premises customer admin consoles, and analyzed our MFTaaS (Fortra-hosted) instances for indicators of compromise.
  • We examined all instances of our MFTaaS environment and found three with potentially suspicious activity related to the vulnerability. We promptly isolated these instances for further investigation and contacted the customers.
  • Customer contact processes initiated: We also contacted on-premises customers who we identified as having their GoAnywhere admin console accessible to the public internet. Our support team provided risk mitigation measures and further assistance to these customers as requested.
  • Initial report to law enforcement: We contacted law enforcement regarding the suspicious activity and have remained in contact throughout our investigation.  

Sept. 12: Patch created 

  • We created a hotfix for v7.6.x, v7.7.x, and v7.8.x of the software and updated customers to let them know the patch was available. 

Sept. 15: Full release available and MFTaaS testing 

  • Full releases of GoAnywhere incorporating the patch, v7.6.3 and v7.8.4, were posted to the GoAnywhere Customer Portal for download. We also began testing the deployment of the MFTaaS upgrade to ensure minimal disruption to our customers’ instances. 

Sept. 17: MFTaaS instances upgraded to v7.8.4 

  • To resolve the vulnerability for MFTaaS customers, Fortra updated all MFTaaS instances to v7.8.4 with minimal disruption to customer operations. 

Sept. 18: CVE published  

Indicators of Compromise 

We observed the following indicators associated with the vulnerability. We advised customers to monitor their admin audit logs for suspicious activity, such as unknown or new admin users or other unexpected behavior. 

Search log files in the “userdata/logs/” directory for errors containing SignedObject.getObject: If this string is present in an exception stack trace (similar to the following), then the instance may have been affected by this vulnerability.  

 

ERROR Error parsing license response 
java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException 
... 
at java.base/java.io.ObjectInputStream.readObject(Unknown Source) 
at java.base/java.security.SignedObject.getObject(Unknown Source) 
at com.linoma.license.gen2.BundleWorker.verify(BundleWorker.java:319) 
at com.linoma.license.gen2.BundleWorker.unbundle(BundleWorker.java:122) 
at com.linoma.license.gen2.LicenseController.getResponse(LicenseController.java:441) 
at com.linoma.license.gen2.LicenseAPI.getResponse(LicenseAPI.java:304) 
at com.linoma.ga.ui.admin.servlet.LicenseResponseServlet.doPost(LicenseResponseServlet.java:64) 

What Did Fortra Do to Address the Vulnerability? 

  • Fortra published GoAnywhere v7.6.3 and v7.8.4 to resolve the vulnerability.
  • Fortra reviewed network controls for MFTaaS to ensure admin consoles are not exposed.
  • Fortra reviewed all log files in the MFTaaS instances.  
  • Fortra updated all MFTaaS instances, including infrastructure rebuilds.
  • Fortra took action to identify and notify on-premises customers with an admin console exposed to the public internet. 

Impact Statement on GoAnywhere Vulnerability 

The scope of the risk of this vulnerability is limited to customers with an admin console exposed to the public internet. Other web-based components of the GoAnywhere architecture are not affected by this vulnerability. We continue to monitor the situation. At this time, we have a limited number of reports of unauthorized activity related to CVE-2025-10035. 

Recommendations for GoAnywhere MFT Customers 

Fortra’s GoAnywhere MFT Hardening Guide recommends that the admin console not be exposed to the public internet, along with several other security practices to employ with a GoAnywhere installation.  

These recommendations, such as restricting admin console access, enabling monitoring and alerts, and keeping software up to date are part of Fortra’s security guidance for all GoAnywhere MFT deployments.  

For all customers, we recommend following the mitigation actions listed here and in the GoAnywhere MFT Hardening Guide, as well as employing industry-specific configuration practices regarding data protection available in our customer center. 

GoAnywhere continues to include a number of security features that our customers may implement to help further safeguard data within their GoAnywhere MFT environment. Customers should download and follow the best practices defined in the manuals available in the customer portal, including the GoAnywhere MFT Hardening Guide.  

Customers can also review the Compliance for File Transfer Data Security to help ensure their configuration of the GoAnywhere product complies with laws and regulations that may apply to them. The information above features guidance on leveraging GoAnywhere across industries and geographic locations. We recommend customers review their specific data protection requirements and enable appropriate features in their MFT environment to meet potentially applicable data security standards. 

Related Products
GoAnywhere MFT GoAnywhere MFTaaS
Related Solutions
Managed File Transfer