来源

关联漏洞

描述

CVE-2025-10035

介绍

# ⚠️ CVE-2025-10035 — Fortra GoAnywhere MFT  

**Critical Remote Code Execution via Unsafe Deserialization**

> **Severity:** 🔴 Critical (CVSS 3.1: **10.0**)  
> **Impact:** Remote Code Execution (Pre-Auth)  
> **Status:** 🧩 *Actively Exploited* — listed in **CISA KEV**  
> **Affected Product:** Fortra **GoAnywhere MFT** (License Servlet component)  
> **Discovered:** 11 Sep 2025 | **Public Disclosure:** 18 Sep 2025  

---

## 🧠 Executive Summary
A critical vulnerability (CVE-2025-10035) in the **License Servlet** of Fortra’s GoAnywhere MFT allows an attacker to exploit **unsafe Java object deserialization**.  
If a forged license response with a valid signature is submitted, the system can deserialize attacker-supplied objects — leading directly to **remote command execution**.

This flaw has already been exploited in the wild by **Storm-1175** (linked to **Medusa ransomware**).

---

## 📦 Affected & Fixed Versions

| Version | Status | Notes |
|----------|---------|-------|
| ≤ 7.8.3 | ❌ Vulnerable | Exploitable via License Servlet |
| 7.6.x (≤ 7.6.2) | ❌ Vulnerable | Sustain release branch |
| **7.6.3** | ✅ Fixed | Sustain branch patch |
| **7.8.4** | ✅ Fixed | Mainline patch release |

**Action:** Upgrade immediately to **7.8.4** (or **7.6.3 sustain**) from official Fortra downloads.  


## ⚠️ Usages 

<img width="1043" height="643" alt="CVE-2025-10035" src="https://github.com/user-attachments/assets/f9bc4418-4820-448a-a860-220c2a5813f3" />

```python
┌──(kali㉿kali)-[~]
└─$ sudo nuclei -l GoAnywhere-MFT.txt -t CVE-2025-10035.yaml

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

                projectdiscovery.io

[INF] Your current nuclei-templates  are outdated. Latest is v10.3.1
[INF] Supplied input was automatically deduplicated (1 removed).
[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version:  (outdated)
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 25
[INF] Running httpx on input host
[INF] Found 23 URL from httpx
[CVE-2025-10035:version] [http] [critical] http://targets:8000/goanywhere/license/Unlicensed.xhtml ["6.5.3"]
[CVE-2025-10035:version] [http] [critical] https://targets:8001/goanywhere/license/Unlicensed.xhtml ["6.5.3"]
[CVE-2025-10035:version] [http] [critical] https://targets:8001/goanywhere/license/Unlicensed.xhtml ["7.1.2"]
[INF] Scan completed in 11.023606474s. 3 matches found.
```


---

## 🧩 Technical Breakdown

### Root Cause
- Unsafe **deserialization** in `SignedObject.getObject()`  
- Occurs when the **License Servlet** parses a license response with a forged signature  
- Leads to arbitrary object instantiation → potential **command injection**  

### Vulnerable Call Path (simplified)
```
LicenseServlet → BundleWorker.verify() → SignedObject.getObject() 
              → ObjectInputStream.readObject() → Attacker gadget chain → RCE
```

### Conditions for Exploitation
- Network access to the **Admin Console** or **License endpoint**  
- Ability to submit forged license responses  
- No authentication or user interaction required  

---

## 🚨 Exploitation Timeline

| Date | Event |
|------|-------|
| **10 Sep 2025** | WatchTowr observes active exploitation attempts |
| **11 Sep 2025** | Fortra internally identifies issue |
| **18 Sep 2025** | Public advisory (FI-2025-012) released |
| **29 Sep 2025** | Added to **CISA KEV** list |
| **Oct 2025** | Microsoft attributes exploitation to **Storm-1175 / Medusa** |

---

## ☠️ Threat & Attribution

**Actor:** Storm-1175 (linked to Medusa ransomware)  
**Observed Tactics:**
- Exploitation of CVE-2025-10035 for initial access  
- Deployment of **RMM tools** (SimpleHelp, MeshAgent)  
- Use of **Rclone** for data exfiltration  
- **RDP lateral movement** (`mstsc.exe`)  
- Execution of **Medusa ransomware payloads**

**Motivation:** Ransomware, data theft, and extortion.

---

## 🔍 Indicators of Compromise (IOCs)

### Application Logs
```
ERROR Error parsing license response
java.lang.RuntimeException: InvocationTargetException
at java.security.SignedObject.getObject(Unknown Source)
```

### System & Network
- JSP webshells in GoAnywhere directories  
- Unknown admin accounts in GoAnywhere console  
- Outbound connections via Rclone / Cloudflare tunnels  
- RMM binaries: `simplehelp.exe`, `meshagent.exe`

### Watch for:
- Stack traces referencing `SignedObject.getObject`
- Unexpected cron / scheduled tasks
- Creation of `.jsp` or `.class` files post-exploit

---

## 🧰 Detection & Hunting

| Layer | Technique | Example |
|--------|------------|----------|
| **SIEM / EDR** | Log for deserialization stack traces | `SignedObject.getObject` or `ObjectInputStream.readObject` |
| **File Integrity** | Monitor GoAnywhere directories | Detect new `.jsp` / `.class` files |
| **Network** | Alert on outbound traffic | Rclone / unknown C2 endpoints |
| **Process Tree** | Hunt for RMM tools | Parent: `goanywhere.exe` → child: `simplehelp.exe` |

**Sigma rule examples:** available from SOC Prime and Rapid7 detection repositories.

---

## 🛡️ Mitigation & Remediation

### ✅ Primary Fix
- Upgrade to **7.8.4** or **7.6.3** (Sustain).  
- Verify patch installation in Admin Console → *About → Version*.

### 🔒 Hardening Measures
1. **Restrict network access** — make Admin Console internal-only.  
2. **Segment GoAnywhere servers** — isolate from critical assets.  
3. **Apply least privilege** — run service under a restricted account.  
4. **Increase logging** — enable verbose audit logs.  
5. **Review credentials** — rotate all stored secrets and SSH keys.  
6. **Monitor continuously** — add exploit detection rules to SIEM.  

---

## 🧾 Incident Response Checklist

| Phase | Key Steps |
|-------|------------|
| **Containment** | Isolate affected systems; disable Admin Console exposure |
| **Eradication** | Patch to 7.8.4; remove RMM/webshell artifacts |
| **Recovery** | Restore clean backups; rotate credentials |
| **Post-Incident** | Review logs, update firewall & EDR rules, document timeline |

---

## 🧩 Relation to Past Exploits

- **CVE-2023-0669** (GoAnywhere RCE) exploited by **Cl0p** ransomware in 2023  
- CVE-2025-10035 is architecturally similar — targeting the same product line but through the **License Servlet** instead of the **Admin Console auth**  
- Reinforces GoAnywhere’s recurring risk profile for **file transfer supply-chain compromise**

---

## 📚 References

- Fortra Advisory FI-2025-012 — [Security Advisory](https://www.fortra.com/security/advisories/product-security/fi-2025-012?utm_source=chatgpt.com)  
- Microsoft Threat Intelligence — [Storm-1175 Attribution](https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/?utm_source=chatgpt.com)  
- WatchTowr Labs — [Technical Deep Dive](https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/?utm_source=chatgpt.com)  
- Rapid7 Analysis — [ETR: GoAnywhere Critical RCE](https://www.rapid7.com/blog/post/etr-cve-2025-10035-critical-unauthenticated-rce-in-goanywhere-mft/?utm_source=chatgpt.com)  
- SOC Prime — [Detection Rules & Sigma Signatures](https://socprime.com/blog/detect-cve-2025-10035-exploitation/?utm_source=chatgpt.com)  

---

## 🧾 Summary Table

| Attribute | Detail |
|------------|--------|
| **CVE ID** | CVE-2025-10035 |
| **CVSS Score** | 10.0 (Critical) |
| **Type** | Unsafe Deserialization → RCE |
| **Authentication** | None (Pre-auth) |
| **Exploitability** | Network, No User Interaction |
| **Impact** | Full system compromise, data theft, ransomware |
| **Exploited in Wild** | ✅ Yes (Storm-1175 / Medusa) |
| **Patched Versions** | 7.8.4 / 7.6.3 |
| **Published** | 18 Sep 2025 |
| **CISA KEV** | Listed (Sep 2025) |

---

###⚡ **Summary:**  

> CVE-2025-10035 is one of the most severe vulnerabilities affecting enterprise file-transfer systems this year.  
> It enables unauthenticated remote code execution and has already been exploited by ransomware operators.  
> Patch immediately, restrict external access, and perform threat hunting to verify no compromise occurred.

---

文件快照

 [4.0K]  /data/pocs/6ced68ef11dfa779dab903c89501e975bc8c9440
├── [ 923]  CVE-2025-10035.yaml
└── [8.3K]  README.md

0 directories, 2 files

备注