When GoAnywhere Lets Attackers Go Everywhere by Lucie Cardiet

GoAnywhere MFT is affected by CVE-2025-10035 — an unauthenticated, unsafe-deserialization remote code execution vulnerability rated CVSS 10.0 and listed in NIST’s Known Exploited Vulnerabilities; a single crafted request to the admin console can yield full system compromise, enabling persistence, credential theft, lateral movement, mass data exfiltration and ransomware deployment. The report stresses that patching is critical but may be insufficient if attackers already gained a foothold, notes detection gaps in traditional security controls, and recommends behavior-based detection (e.g., network and identity monitoring) to detect post-exploitation activity.