id: CVE-2025-10035
info:
name: GoAnywhere - Authentication Bypass
author: DhiyaneshDk,watchtowr
severity: critical
description: |
Fortra GoAnywhere MFT contains an insecure deserialization vulnerability in the License Servlet caused by deserializing attacker-controlled objects with a valid forged license response signature, letting attackers perform command injection, exploit requires valid forged license signature.
reference:
- https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/
- https://attackerkb.com/topics/LbA9ANjcdz/cve-2025-10035/rapid7-analysis
- https://www.fortra.com/security/advisories/product-security/fi-2025-011
impact: |
Attackers can execute arbitrary commands remotely, potentially leading to full system compromise.
remediation: |
Update to the latest version with the deserialization fix.
metadata:
verified: true
max-request: 1
shodan-query: title:"GoAnywhere"
fofa-query: title="GoAnywhere"
tags: cve,cve2025,goanywhere,auth-bypass,vkev,kev,vuln
variables:
string: "{{to_lower(rand_text_alpha(5))}}"
http:
- method: GET
path:
- "{{BaseURL}}/goanywhere/license/Unlicensed.xhtml/{{string}}?javax.faces.ViewState={{string}}&GARequestAction=activate"
- "{{BaseURL}}/license/Unlicensed.xhtml/{{string}}?javax.faces.ViewState={{string}}&GARequestAction=activate"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- contains_all(location, "request?bundle=", "my.goanywhere.com")
- status_code == 302
condition: and
extractors:
- type: dsl
dsl:
- location
# digest: 490a00463044022008481d436f08c510437db7dc1c8f2887b8d2717d70b169a2965f6931207806b902206475ce7d23c2a4fbf7577133b83298373d60745fee36442a47b3bbc8854a8104:922c64590222798bb761d5b6d8e72950