A critical vulnerability has been identified in Fortra's GoAnywhere MFT software, which could allow an unauthenticated remote attacker to take complete control of the affected system. Successful exploitation could lead to total system compromise, data theft, and deployment of malware such as ransomware, posing a severe risk to the organization. Immediate patching is required to mitigate this threat.

This is an insecure deserialization vulnerability located in the License Servlet component of the application. An attacker can craft a malicious serialized object and embed it within a license response that has a validly forged signature. When the application's License Servlet processes this malicious response, it deserializes the object without proper validation, leading to arbitrary code execution on the server with the privileges of the GoAnywhere MFT service account.

This vulnerability is rated as critical severity with a CVSS score of 10.0, representing the highest possible risk. A successful exploit grants an attacker full remote code execution (RCE) capabilities on the underlying server without requiring any prior authentication. The potential consequences include complete confidentiality, integrity, and availability loss of the system and its data. Specific risks include theft of sensitive files managed by the MFT solution, lateral movement into the broader corporate network, deployment of ransomware, and significant operational downtime and reputational damage.

Immediate Action: Immediately update all instances of Fortra GoAnywhere MFT to the latest version as recommended by the vendor to patch this vulnerability. Prioritize patching for systems that are exposed to the internet. After patching, review access logs and system logs for any signs of compromise that may have occurred before the update was applied.

Proactive Monitoring: Monitor web server logs specifically for requests to the License Servlet endpoint for anomalies, such as requests from untrusted IP addresses or malformed request bodies. System administrators should monitor for unexpected processes being spawned by the GoAnywhere MFT service and analyze outbound network traffic from the MFT server for connections to suspicious destinations.

Compensating Controls: If patching cannot be performed immediately, restrict network access to the GoAnywhere MFT administrative interface and License Servlet to only trusted IP addresses and internal networks. This can be accomplished using a firewall, reverse proxy, or Web Application Firewall (WAF) rules to limit exposure.

Public Exploit Available: False

This vulnerability poses a critical and immediate threat to the organization. Given its perfect CVSS score of 10.0, which signifies a low-complexity, unauthenticated attack leading to complete system compromise, immediate remediation is imperative. All system owners must prioritize the deployment of the vendor-provided patch across all affected GoAnywhere MFT instances without delay. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion and widespread exploitation by threat actors.