GoAnywhere MFT is a widely used managed file transfer solution that organizations rely on to securely exchange sensitive data. It is often chosen to centralize file movement, enforce encryption standards, and reduce the risks of ad-hoc transfers. Because it is trusted to handle critical business information, it has become a high-value target for attackers.
In late September 2025, a new vulnerability in GoAnywhere (CVE-2025-10035) was disclosed and quickly added to NIST’s Known Exploited Vulnerabilities catalog. Rated with the maximum CVSS score of 10.0, this flaw allows remote code execution without authentication. Attackers can compromise a GoAnywhere server before defenders even have time to apply patches.
What happened with this new GoAnywhere CVE
The vulnerability exists in the license response servlet of GoAnywhere MFT. By exploiting an unsafe deserialization process and bypassing authentication checks, attackers can send malicious objects that result in system-level code execution. In practical terms, a single crafted request to an exposed GoAnywhere admin console can give adversaries full control of the system.
This is not the first time GoAnywhere has made headlines. A similar flaw in 2023 led to large-scale ransomware campaigns that impacted over 130 organizations. Once again, a product designed to enable secure data transfer has become a launch point for major breaches.
Why CVE-2025-10035 is a Critical Security Risk
Patching is essential, but it is not sufficient. If an attacker exploited the flaw before the update was applied, they may already have persistence inside the environment. GoAnywhere servers handle highly sensitive information such as financial data, healthcare records, and intellectual property. Once compromised, they provide a convenient staging ground for data theft and lateral movement.
Traditional security tools often fail to spot these attacks:
- Endpoint agents may not monitor the GoAnywhere appliance.
- Perimeter defenses see only “legitimate” encrypted file transfers.
- Logs can be incomplete or too noisy for SOC analysts to act on quickly.
This creates a dangerous detection gap between compromise and discovery.
Attacker Tactics After Exploiting GoAnywhere Servers
Once inside, attackers do not stop at the initial exploit. They use compromised GoAnywhere systems to:
- Deploy webshells or hidden scripts for persistence.
- Steal credentials to escalate privileges.
- Move laterally to other internal systems.
- Exfiltrate large volumes of sensitive files under the guise of normal transfer activity.
Each of these actions blends into daily operations, making it difficult for teams relying only on prevention or static logs to catch them.
Closing the Gap with Vectra AI
The Vectra AI Platform focuses on detecting and responding to attacker behavior, not just known exploits. This is where it becomes critical after vulnerabilities like CVE-2025-10035:
- Network Threat Detection identifies unusual command-and-control channels or large-scale data exfiltration attempts from GoAnywhere servers.
- Identity Threat Detection uncovers suspicious account activity, such as privilege escalation or abnormal use of service accounts linked to MFT systems.
- Cloud and SaaS Visibility ensures that if attackers pivot from on-premises to cloud applications after the initial breach, their movement does not go unnoticed.
With AI-driven detection across network, identity, and cloud, Vectra AI closes the blind spot that exploits like this reveal. Patching remains important, but without behavior-based detection, organizations are left exposed if adversaries gained a foothold before defenses were in place.
If you want to understand how the Vectra AI Platform strengthens your security posture beyond prevention, explore a self-guided demo of the platform today.