Mastodon

Security alert Fortra CVE-2025-10035: Stormshield Products Response

Published on: 26 09 2025

Author: Stormshield Customer Security Lab

< 1 minute

A critical vulnerability impacting Fortra GoAnywhere MFT has been reported. It has been assigned the reference CVE-2025-10035 and a CVSS 3.1 score of 10.

It should be noted that proof of concept are publicly public, about this CVE-2025-10035.

 

Initial vector attack of the Fortra vulnerability

The vulnerability tracked as CVE-2025-10035 allows an unauthenticated attacker to remotely execute some code on the system, throught the License Servlet of Fortra GoAnywhere MFT.

 

Technical details of the Fortra vulnerability

The vulnerability lies on the License Servlet module. Under some conditions, it sends a valid token to any unauthenticated user, which can then be used by an attacker to inject a malicious object on the server. The server will then deserialize the object and execute it.

All versions below 7.8.4 and 7.6.3 are impacted.

 

Attack modelling with MITRE ATT&CK

MITRE ATT&CK

  • T1190 : Content Injection
  • T1190 : Exploit Public-Facing Application

IoC

It is advised to check the audit logs for errors, especially the ones with this format that mays indicate a compromission:

ERROR Error parsing license response
java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException
...
at java.base/java.io.ObjectInputStream.readObject(Unknown Source)
at java.base/java.security.SignedObject.getObject(Unknown Source)
at com.linoma.license.gen2.BundleWorker.verify(BundleWorker.java:319)
at com.linoma.license.gen2.BundleWorker.unbundle(BundleWorker.java:122)
at com.linoma.license.gen2.LicenseController.getResponse(LicenseController.java:441)
at com.linoma.license.gen2.LicenseAPI.getResponse(LicenseAPI.java:304)
at com.linoma.ga.ui.admin.servlet.LicenseResponseServlet.doPost(LicenseResponseServlet.java:64)

 

How to protect against the Fortra vulnerability with Stormshield Network Security

Protection against CVE-2025-10035

Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2025-10035 with the following IPS signature:

  • • http:mix.360 : Exploitation of an authentication bypass vulnerability in Fortra GoAnywhere MFT (CVE-2025-10035)

For this protection to be efficient, the HTTPS traffic must be decrypted.

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Recommandations regarding the Fortra vulnerability

It is highly recommended to update the Fortra GoAnywhere MFT to one of those versions:

  • 7.8.4
  • 7.6.3
Tags :

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need more information about Stormshield protection? The Technical Support teams are at your disposal to help you. Contact them through the incident manager located in the MyStormshield private area. To access it, select the menu "Technical Support / Report an incident / Track an incident".
Stormshield's Cyber Threat Intelligence team has two primary missions: to study cyber threats to understand them and to continuously improve Stormshield product protections. All with the goal of contributing to the cybersecurity community's effort to address cyber threats.
About the author
mm
Stormshield Customer Security Lab
Last articles

See all articles from Alert

Read more