Fortra disclosed a critical vulnerability in GoAnywhere Managed File Transfer (MFT), tracked as CVE-2025-10035, with a CVSS score of 10.0. The flaw allows attackers to execute remote code without authentication. Review this Cybersecurity Threat Advisory to keep your systems safe.
What is the threat?
CVE-2025-10035 affects the GoAnywhere MFT platform with a critical deserialization vulnerability that attackers can exploit to compromise the secure automation of sensitive data transfers across enterprise environments. Attackers can exploit it to run arbitrary commands on affected systems without authentication. If successful, this could lead to data exfiltration, ransomware deployment, and disruption of file transfer workflows, posing a serious threat to organizational data integrity and operations.
Why is it noteworthy?
Organizations widely adopt GoAnywhere MFT for secure file transfers, which makes it a high-value target when vulnerabilities emerge. CVE-2025-10035 is especially concerning due to its maximum severity rating and the ability to perform unauthenticated remote code execution (RCE), which could result in complete system compromise. Although there are no confirmed reports of exploitation in the wild, the combination of unauthenticated access and the platform’s role in handling sensitive data means organizations should treat this as a critical issue and prioritize remediation.
What is the exposure or risk?
CVE-2025-10035 poses a severe risk to enterprise environments that rely on managed file transfers for sensitive data exchange. Exploitation could allow attackers to exfiltrate, modify, or delete sensitive files, create or escalate administrative privileges, and disrupt automated file transfer workflows. Attackers have repeatedly targeted GoAnywhere in past campaigns, which makes this vulnerability demand immediate attention and remediation.
What are the recommendations?
Barracuda recommends the following to secure your system:
- Upgrade GoAnywhere MFT to version 7.8.4 or the Sustain Release 7.6.3 across all instances (prod, HA, test).
- Remove public exposure of the Admin Console; place management behind VPN/zero-trust and segment networks.
- Review GoAnywhere logs for unexpected command execution, new/modified admin accounts, and job or script changes.
- Define rapid isolation, emergency patching (7.8.4 or Sustain 7.6.3), credential rotation, log triage for unexpected commands/new accounts, and partner notification if transfers were impacted Response focus for unauthenticated RCE and patch versions.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-10035
- https://www.cve.org/cverecord?id=CVE-2025-10035
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
