FORTRA has revealed details of key security flaws in GoAny Where Managed File Transfer (MFT) software that can result in the execution of any command.
The vulnerability tracked as CVE-2025-10035 has a CVSS score of 10.0, indicating the greatest severity.
“A decolorization vulnerability in Fortra’s Goany Where MFT license servlet allows actors with a validly forged license response signature to loosen up any actor control object, possibly leading to command injection,” Fortra announced Thursday.
The company also noted that the successful exploitation of vulnerabilities depends on systems published on the Internet.
Users are advised to update to a patched release (version 7.8.4 or Sustain release 7.6.3) to protect against potential threats. If immediate patching is not possible, we recommend that you make sure access to the Goany Where Admin Console is not publicly available.
Fortra does not mention any defects being exploited in the wild. That said, the drawbacks previously revealed in the same product (CVE-2023-0669, CVSS score: 7.2) were abused as zero-day by ransomware actors, stealing sensitive data.
Then, earlier last year, we addressed another important vulnerability in the Goany Where MFT (CVE-2024-0204, CVSS score: 9.8).
“The newly disclosed vulnerability in Fortra’s Goany Where MFT Solution affects the same license code path as the previous CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023.
“With thousands of MFT instances exposed to the internet, this issue is almost certain to be weaponized for wild exploitation soon. While the exploitation of Fort Ranote requires external exposure, these systems generally need to assume that Internet improvements are vulnerable.
Source link
