Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN632 _____________________________________________________________________ DATE : 23/09/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running GoAnywhere MFT versions prior to 7.8.4, Sustain Release 7.6.3. ===================================================================== https://www.fortra.com/security/advisories/product-security/fi-2025-012 _____________________________________________________________________ Deserialization Vulnerability in GoAnywhere MFT's License Servlet FI-2025-012 - Deserialization Vulnerability in GoAnywhere MFT's License Servlet Severity Critical Published Date 18-Sep-2025 Updated Date 18-Sep-2025 Vulnerabilities CVE-2025-10035 Notes Description A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. Description Am I Impacted? Customers are advised to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject: If this string is present in an exception stack trace (similar to the following), then the instance was likely affected by this vulnerability. ERROR Error parsing license response java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException ... at java.base/java.io.ObjectInputStream.readObject(Unknown Source) at java.base/java.security.SignedObject.getObject(Unknown Source) at com.linoma.license.gen2.BundleWorker.verify(BundleWorker.java:319) at com.linoma.license.gen2.BundleWorker.unbundle(BundleWorker.java:122) at com.linoma.license.gen2.LicenseController.getResponse(LicenseController.java:441) at com.linoma.license.gen2.LicenseAPI.getResponse(LicenseAPI.java:304) at com.linoma.ga.ui.admin.servlet.LicenseResponseServlet.doPost(LicenseResponseServlet.java:64) Vulnerabilities Deserialization Vulnerability in GoAnywhere MFT's License Servlet Severity Critical CVE CVE-2025-10035 CWE CWE-77, CWE-502:Improper Neutralization of Special Elements used in a Command ('Command Injection'), Deserialization of Untrusted Data Discovery Date 11-Sep-2025 CSSv3.1 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Affected Products GoAnywhere MFT Vulnerability Notes Remediation: Mitigation Immediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet. Remediation: Mitigation Upgrade to a patched version (the latest release 7.8.4, or the Sustain Release 7.6.3) References (https://www.cve.org/cverecord?id=CVE-2025-10035) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================