CVE-2025-10035CRITICAL 9.8CISA KEVEPSS p99.9%

CVE-2025-10035Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability

Fortra / GoAnywhere MFT

Description

Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS99.61% probability of exploitation · percentile 99.9% · 2026-06-15T12:03:41Z
Published2025-09-18
Last modified2025-10-24

CISA KEV entry

Added to KEV: 2025-09-29

Underlying weaknesses· 2

CWE-77CWE-502

References

  1. https://www.fortra.com/security/advisories/product-security/fi-2025-012
  2. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10035

2

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryFortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerabilitykev-cve-2025-100350%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2023-0669
CVE
CVE-2025-47732
CVE
CVE-2026-26142
CVE
Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
CVE
Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability
CVE
CVE-2025-55232
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.