id: CVE-2025-10035

info:
  name: GoAnywhere - Authentication Bypass
  author: DhiyaneshDk,watchtowr
  severity: critical
  description: |
    Fortra GoAnywhere MFT contains an insecure deserialization vulnerability in the License Servlet caused by deserializing attacker-controlled objects with a valid forged license response signature, letting attackers perform command injection, exploit requires valid forged license signature.
  reference:
    - https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/
    - https://attackerkb.com/topics/LbA9ANjcdz/cve-2025-10035/rapid7-analysis
    - https://www.fortra.com/security/advisories/product-security/fi-2025-011
  impact: |
    Attackers can execute arbitrary commands remotely, potentially leading to full system compromise.
  remediation: |
    Update to the latest version with the deserialization fix.
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"GoAnywhere"
    fofa-query: title="GoAnywhere"
  tags: cve,cve2025,goanywhere,auth-bypass,vkev,kev,vuln

variables:
  string: "{{to_lower(rand_text_alpha(5))}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/goanywhere/license/Unlicensed.xhtml/{{string}}?javax.faces.ViewState={{string}}&GARequestAction=activate"
      - "{{BaseURL}}/license/Unlicensed.xhtml/{{string}}?javax.faces.ViewState={{string}}&GARequestAction=activate"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - contains_all(location, "request?bundle=", "my.goanywhere.com")
          - status_code == 302
        condition: and

    extractors:
      - type: dsl
        dsl:
          - location
# digest: 490a00463044022008481d436f08c510437db7dc1c8f2887b8d2717d70b169a2965f6931207806b902206475ce7d23c2a4fbf7577133b83298373d60745fee36442a47b3bbc8854a8104:922c64590222798bb761d5b6d8e72950