{"id":"CVE-2025-10035","details":"A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.","modified":"2026-03-12T17:32:21.823757Z","published":"2025-09-18T22:15:41.857Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10035"},{"type":"ADVISORY","url":"https://www.fortra.com/security/advisories/product-security/fi-2025-012"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10035.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"7.6.3"}]},{"events":[{"introduced":"7.7.0"},{"fixed":"7.8.4"}]}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}