Fortra GoAnywhere MFT Deserialization Vulnerability in License Servlet Allowing Command Injection

A deserialization vulnerability has been identified in the License Servlet of Fortra's GoAnywhere MFT. This vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary, actor-controlled object, which could potentially lead to command injection.

Impact

Exploitation of this vulnerability could result in arbitrary command execution on the server where GoAnywhere MFT is running.

Remediation

Users are advised to upgrade to the latest patched version (7.8.4) or the Sustain Release 7.6.3. Additionally, access to the GoAnywhere Admin Console should not be open to the public, as exploitation is highly dependent on the system being externally exposed to the internet.