PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-10035 Fortra CVE debrief

CVE-2025-10035 is a Fortra GoAnywhere MFT deserialization of untrusted data vulnerability that CISA added to the Known Exploited Vulnerabilities catalog on 2025-09-29. The KEV entry also marks it as having known ransomware campaign use, which raises the operational urgency for defenders. CISA’s required action is to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Vendor
Fortra
Product
GoAnywhere MFT
CVSS
Unknown
CISA KEV
Listed
Original CVE published
2025-09-29
Original CVE updated
2025-09-29
Advisory published
2025-09-29
Advisory updated
2025-09-29

Who should care

Organizations that use Fortra GoAnywhere MFT, especially security operations, vulnerability management, incident response, and teams responsible for externally reachable file transfer services or managed file exchange platforms.

Technical summary

The source corpus identifies the issue as a deserialization of untrusted data vulnerability in Fortra GoAnywhere MFT. Beyond that classification, the supplied sources do not provide exploit mechanics, impact specifics, or a CVSS score. What is clear from the official sources is that CISA considers the issue actively exploited enough to include it in KEV, with a remediation due date of 2025-10-20 and known ransomware campaign use.

Defensive priority

Urgent. KEV listing plus known ransomware campaign use means this should be treated as a high-priority remediation item and tracked to closure before the 2025-10-20 due date.

Recommended defensive actions

  • Confirm whether Fortra GoAnywhere MFT is deployed anywhere in the environment, including managed, hosted, and cloud-adjacent instances.
  • Apply vendor mitigations per Fortra’s instructions as referenced by CISA.
  • Follow applicable BOD 22-01 guidance for cloud services where relevant.
  • If mitigations are unavailable or cannot be applied in time, discontinue use of the product per CISA guidance.
  • Prioritize validation, testing, and documentation of remediation before the KEV due date of 2025-10-20.
  • Monitor for indicators of suspicious activity on affected systems and review incident response readiness given the known ransomware campaign use flag.

Evidence notes

This debrief is grounded only in the supplied official corpus: the CVE record, the NVD detail link, and the CISA KEV entry/source item. The corpus states the vulnerability name as 'Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability,' lists it in CISA KEV on 2025-09-29 with a due date of 2025-10-20, and marks known ransomware campaign use as 'Known.' The corpus does not include a CVSS score or additional technical impact details, so none are asserted here.

Official resources

Public vulnerability details were published in the official CVE and CISA KEV records on 2025-09-29. This debrief intentionally avoids unsupported exploit detail and relies only on the supplied official sources.