GoAnywhere MFT gets its third critical RCE in three years

Storm-1175 was already inside GoAnywhere instances on September 10 or 11. Fortra shipped the customer hotfix on September 12. The public advisory dropped September 18. That sequencing means the Medusa ransomware affiliate was exploiting this vulnerability two days before the vendor’s own customers received a patch, and eight days before the rest of the world knew it existed.

From initial access to ransomware deployment: under 24 hours. That’s not an APT doing quiet intelligence collection. That’s a team that came with the tools pre-staged and the playbook already written.

The vulnerability

CVE-2025-10035 is a pre-authentication remote code execution in GoAnywhere MFT’s License Servlet. CVSS 9.8 from NVD; Fortra scored it 10.0. No credentials required, no user interaction, network-accessible. The exploit chain is three steps: path manipulation to bypass authentication using hardcoded keys, a forged license token submission, then Java deserialization via SignedObject.getObject() that triggers an arbitrary gadget chain. The fix replaces that unconstrained deserializer with a restricted one.

Affected versions: GoAnywhere MFT through 7.8.3 (latest branch) and through 7.6.2 (Sustain branch). Fixed in 7.8.4 and 7.6.3.

One unresolved question: how Storm-1175 obtained a valid cryptographic signature for the SignedObject wrapper that the deserializer trusts. That detail has not been publicly explained. If the answer is “hardcoded keys in the License Servlet,” then the authentication bypass and the deserialization flaw share a common ancestor: Fortra shipping static secrets in a DMZ-facing product.

Three years running

This is the third consecutive year GoAnywhere has shipped a critical or maximum-severity RCE:

• 2023: CVE-2023-0669 let Cl0p compromise over 130 organizations.
• 2024: CVE-2024-0204 was a CVSS 9.8 authentication bypass.
• 2025: CVE-2025-10035.

Plot this alongside Accellion FTA in 2020, MOVEit in 2023, and Cleo Harmony/VLTrader/LexiCom in 2024, and managed file transfer as a product category is producing critical pre-auth vulnerabilities on an annual cadence. Ransomware groups have noticed. At some point, the pattern stops being a coincidence and starts being a property of how these products are built.

What it means for your environment

GoAnywhere MFT sits in the DMZ of roughly 3,000 organizations, concentrated in healthcare, finance, insurance, and government. It moves files between partners and internal systems. The Admin Console and License Servlet expose HTTP endpoints that are commonly internet-reachable because the whole point of the product is to accept inbound transfers from external parties.

Storm-1175’s post-exploitation was fast and documented. The chain: JSP webshells dropped into the GoAnywhere directory structure, a backdoor admin account named “admin-go” created for persistence, SimpleHelp and MeshAgent RMM tools installed for remote access, network scanning, lateral movement via mstsc/PsExec/Impacket, data exfiltration through Rclone, and finally ransomware pushed via PDQ Deployer.

Censys counts approximately 740 GoAnywhere instances visible on the public internet. Of those, 40 have been confirmed vulnerable. The real exposure is likely higher because not every instance advertises its version cleanly.

What you need to do

Patch. Upgrade to 7.8.4 (latest branch) or 7.6.3 (Sustain branch). This is not a hot-patch. It requires a full service restart and a database schema migration. No file transfers can be active during the upgrade. Clustered deployments require all nodes to come down simultaneously.

That constraint is the operational problem. GoAnywhere is often the system that moves payroll files, insurance claims, and regulatory submissions on a schedule. “Take it down for maintenance” means coordinating with every partner and internal process that depends on those scheduled transfers. You need a maintenance window, and you need it soon. The coordination cost of a planned window is lower than the coordination cost of an incident where your payroll files are on a leak site.

If you cannot patch immediately:

• Block internet access to the Admin Console and License Servlet. If external partners only need the file transfer endpoints, there’s no reason the license management path should be reachable from outside.
• Deploy a WAF rule blocking requests to /goanywhere/license/. This is a compensating control, not a fix.
• Monitor GoAnywhere logs under userdata/logs/ for stack traces containing SignedObject.getObject. That’s the deserializer firing.

Hunt for existing compromise. If your instance was internet-exposed before September 12, assume you need to verify rather than assume you’re clean:

• Check for a user account named “admin-go.”
• Look for .jsp files in GoAnywhere application directories that you didn’t put there.
• Search for SimpleHelp or MeshAgent binaries on the host. IOC hashes: MeshAgent 4106c35f..., SimpleHelp c7e26327..., cd5aa589..., 5ba7de7d....
• Check for Rclone installations or configuration files.
• Network logs: connections to 31.220.45.120, 45.11.183.123, or 213.183.63.41.

A Sigma rule exists: proc_creation_win_exploit_cve_2025_10035. If you’re running a SIEM with Sigma support, deploy it.

The product question

CISA’s remediation deadline was October 20, 2025. If you’re reading this and your GoAnywhere instance is still on 7.8.3 or earlier, you’re past the deadline and operating with a known pre-auth RCE in a DMZ-facing system that ransomware groups have already weaponized.

Three critical RCEs in three years from the same product. The conversation eventually stops being about patching faster and starts being about whether GoAnywhere belongs in the DMZ at all, or whether it’s time to evaluate the product against alternatives that haven’t become a recurring ransomware entry point. If you’ve patched GoAnywhere three times in three years for maximum-severity bugs, you’ve already spent the political capital to have that conversation. Might as well spend it intentionally.

PatchDay Alert tracks KEV additions and exploitation timelines daily. The next time your MFT vendor ships a critical, you’ll have the operational context the same day it hits the catalog.