← Benteng/case studies
CVE-2025-10035OWASP A08 · Software & Data Integrity FailuresCWE-502 Deserialization of Untrusted DataCVSS 10.0 Critical

GoAnywhere MFT — unauthenticated deserialization RCE

A forged, signed object deserialized by GoAnywhere's admin console gave pre-auth remote code execution.

What happened

In 2025 the Medusa ransomware crew chained an unauthenticated deserialization flaw in Fortra GoAnywhere MFT's License Servlet: a crafted, attacker-controlled serialized object was accepted and deserialized, yielding command execution with no login. Managed-file-transfer boxes are high-value — they sit between networks and hold everyone's files — so the crews used it for persistent access and mass data theft.

The code

✕ VulnerableDeserialization
// Java: accepting a serialized object straight off the wire
ObjectInputStream in = new ObjectInputStream(request.getInputStream());
Object cmd = in.readObject();   // gadget chain runs during readObject()
// attacker sends a serialized object whose readObject() spawns a process
✓ FixedDeserialization
// Never deserialize untrusted input into arbitrary types.
// Use a data format (JSON) + a strict schema, or an allowlist ObjectInputFilter:
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(
  "com.myapp.dto.*;java.base/*;!*");          // only known DTOs
ObjectInputStream in = new ObjectInputStream(body);
in.setObjectInputFilter(filter);
→ Detect this class with Secret scanner (find the exposed admin creds nearby)

References

Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.