What happened

CISA added CVE-2025-10035 (Fortra GoAnywhere MFT) to the Known Exploited Vulnerabilities catalog, marking it exploited in the wild and assigning a remediation due date of 2025-10-20 (FCEB binding) CISA KEV. The vulnerability is a deserialization of untrusted data condition where an actor with a validly forged license response signature can coerce the product to deserialize attacker-controlled objects, with possible command injection results CISA KEV. NVD tracks the CVE entry for Fortra GoAnywhere MFT with the same vulnerability class and impact description NVD, and the MITRE CVE record confirms the identifier and affected product MITRE.

CISA flags this CVE as used in known ransomware campaigns, elevating it to priority remediation status for government and critical infrastructure environments CISA KEV.

Why it matters

A KEV inclusion means the vulnerability has reliable exploitation observed in the wild and requires urgent action by Federal Civilian Executive Branch agencies under BOD 22-01 timelines CISA KEV. The described flaw enables arbitrary object deserialization and may culminate in command injection within GoAnywhere MFT’s execution context, which is a high-impact outcome aligned to CWE-502 and CWE-77 categories NVD. CISA’s note that it is associated with known ransomware campaigns further underscores the risk of rapid operationalization by criminal actors CISA KEV.

Technical detail

CVE-2025-10035 centers on deserialization of untrusted data triggered by a license-response workflow: an attacker able to present a validly forged license response signature can cause GoAnywhere MFT to deserialize an arbitrary, actor-controlled object CISA KEV. Deserializing attacker-controlled objects is captured by CWE-502 (Deserialization of Untrusted Data), a class known for enabling unexpected code paths and gadget invocation NVD. The downstream effect cited here is potential command injection, mapped to CWE-77 (Command Injection), which can allow command execution in the application’s environment NVD.

The vulnerability affects Fortra GoAnywhere MFT, as identified across CISA’s KEV entry and corroborated by the canonical CVE records CISA KEV MITRE. Attack precondition highlighted by CISA is possession of a license response that validates as signed, enabling the deserialization step that may lead to command injection within the product CISA KEV.

Defense

CISA’s required action: apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable CISA KEV. Agencies must meet the remediation due date of 2025-10-20 given the KEV listing and associated ransomware use CISA KEV. Ensure your vulnerability management workflow explicitly prioritizes this CVE by asset, version, and exposure, using the KEV status as the driver for scheduling and change control CISA KEV.

If a compensating control period is unavoidable, treat affected GoAnywhere MFT instances as high risk due to the potential command injection impact described in the CVE metadata, and minimize attack surface until vendor instructions are applied NVD. Continue to track authoritative updates via the canonical CVE record for any revision notes or references MITRE.

Lyrie Verdict

This is a deterministically described deserialization-to-command-injection path tied to a license-response validation flow in GoAnywhere MFT CISA KEV. Lyrie’s anti-rogue-AI posture auto-prioritizes KEV-tagged exploitation and enforces machine-speed interdiction around the vulnerable path: correlating license-response validation events with unsafe deserialization indicators and blocking execution before any command injection can manifest NVD. Our autonomous detectors treat CISA ransomware-associated CVEs as hot signals and drive immediate containment at the serialization boundary, without waiting for human review CISA KEV.