CVE-2025-10035OWASP A08 · Software & Data Integrity FailuresCWE-502 Deserialization of Untrusted DataCVSS 10.0 Critical
GoAnywhere MFT — unauthenticated deserialization RCE
A forged, signed object deserialized by GoAnywhere's admin console gave pre-auth remote code execution.
What happened
In 2025 the Medusa ransomware crew chained an unauthenticated deserialization flaw in Fortra GoAnywhere MFT's License Servlet: a crafted, attacker-controlled serialized object was accepted and deserialized, yielding command execution with no login. Managed-file-transfer boxes are high-value — they sit between networks and hold everyone's files — so the crews used it for persistent access and mass data theft.
The code
✕ Vulnerable — Deserialization
// Java: accepting a serialized object straight off the wire ObjectInputStream in = new ObjectInputStream(request.getInputStream()); Object cmd = in.readObject(); // gadget chain runs during readObject() // attacker sends a serialized object whose readObject() spawns a process
✓ Fixed — Deserialization
// Never deserialize untrusted input into arbitrary types. // Use a data format (JSON) + a strict schema, or an allowlist ObjectInputFilter: ObjectInputFilter filter = ObjectInputFilter.Config.createFilter( "com.myapp.dto.*;java.base/*;!*"); // only known DTOs ObjectInputStream in = new ObjectInputStream(body); in.setObjectInputFilter(filter);
References
Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.