来源

关联漏洞

介绍

# CVE-2025-10035 - Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
## Overview
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT that allows an attacker with a validly forged license response signature to deserialize an arbitrary actor-controlled object, potentially leading to command injection.

## Exploit:
## [href](https://tinyurl.com/57sh3hs5)
## Details
+ **CVE ID**: [CVE-2025-10035](https://nvd.nist.gov/vuln/detail/CVE-2025-10035)
+ **Published**: 09/18/2025
+ **CVSS**: 10
+ **Exploit Availability**: Not public, only private.
+ **Patch Available:  (No official patch yet)**

## Impact
This is a critical vulnerability with maximum severity (CVSS 10.0). An unauthenticated attacker can exploit this vulnerability remotely without any user interaction. The potential impacts include: - Complete compromise of system confidentiality - Full integrity breach of the affected system - Total system availability disruption - Potential for remote code execution and command injection
## Running

To run exploit you need Python 3.9.
Execute:
```bash
python generatedpayload.py -h 10.10.10.10 -c 'uname -a'
```
## Affected Product
GoAnywhere MFT all versions
## Demo
The product includes a detailed five-minute guide on exploiting the exploit for users of any level of familiarity with programming languages.
## Contact
+ **For inquiries, please contact:f0kinn@outlook.com**

文件快照

 [4.0K]  /data/pocs/700c6af101444bce8ac2feadffb9cab1c51c199c
└── [1.4K]  README.md

0 directories, 1 file

备注