Techly NewsGet the app

Get the latest tech news

Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035)


File transfer used to be simple fun - fire up your favourite FTP client, log in to a glFTPd site, and you were done. Fast forward to 2025, and the same act requires a procurement team, a web interface, and a vendor proudly waving their Secure by Design pledge. Ever

GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object But watchTowr, how did this get a CVSS 10.0? Fueling our conspiracy theories was the advisory deletion and reference update we discussed above, including a stack trace which signals a valid exploitation attempt and asks the user to check their logs: While this mystery continues to evolve, and we're excited to see if anyone takes the baton from us, concerned operators and end users can use our Detection Artefact Generator to check for externally vulnerable instances.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Fortra

Fortra

Photo of cve-2025

cve-2025

Photo of goanywhere

goanywhere

Related news:

News photo

Ding ding: Fortra rings the perfect-10 bell over latest GoAnywhere MFT bug

News photo

Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet

News photo

Can you trust that permission pop-up on macOS?

« Everything we know about the Samsung Galaxy S26 (so far)
After Genshin Impact and Honkai Star Rail, gacha master HoYoverse set its sights on the Animal Crossing-like cosy sim genre »