The recent disclosure of CVE-2025-10035, a critical unauthenticated remote code execution (RCE) vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) solution, represents a grave and immediate threat to Canadian organizations. Assigned the maximum severity rating of CVSS 10.0, this flaw is not an isolated incident but a predictable recurrence within a discernible pattern of cybercrime.
Anatomy of a CVSS 10.0 Exploit
CVE-2025-10035 is rooted in an improper deserialization flaw within the GoAnywhere MFT License Servlet component. A remote, unauthenticated attacker who forges a valid license response signature can trick the system into loading a malicious object. This deserialization escalates to command injection, granting broad control over the targeted system with system-level privileges.
The maximum CVSS score indicates the flaw is remotely exploitable, requires no prior authentication, and can be leveraged with minimal complexity and no user interaction. The sole prerequisite is that the GoAnywhere Admin Console is accessible over the internet — a configuration identified as common for many organizations. Fortra released patches in versions 7.8.4 and Sustain 7.6.3.
Organizations with a publicly exposed GoAnywhere MFT Admin Console must immediately apply the vendor-provided patch (version 7.8.4 or Sustain 7.6.3). If an immediate upgrade is not feasible, restrict external access to the Admin Console through network segmentation or firewall rules.
History of Exploitation: The Clop Precedent
The true danger becomes evident when viewed through the lens of history. This is not the first critical flaw discovered in the GoAnywhere MFT platform's license component. The previous vulnerability, CVE-2023-0669, was also a deserialization flaw in the License Response Servlet — suggesting a systemic issue in the product's security development lifecycle.
That older flaw was exploited as a zero-day by the Clop ransomware group (operated by TA505), a financially motivated, Russian-speaking RaaS group with a long history of targeting managed file transfer solutions including Accellion FTA and MOVEit Transfer. Their operational model: exploit a single, widely used vulnerability to exfiltrate vast amounts of data from a large number of victims for subsequent extortion.
| CVE ID | CVSS | Vulnerability | Component | Threat Actor | Exploitation |
|---|---|---|---|---|---|
CVE-2025-10035 | 10.0 | Deserialization (RCE) | License Servlet | None reported (potential) | No confirmed in-the-wild |
CVE-2023-0669 | 7.2 | Deserialization (RCE) | License Response Servlet | Clop / TA505 | Exploited as zero-day |
The confluence of a new, highly severe vulnerability in the same software component previously exploited by a known threat group makes this a prime target for future campaigns. The temporary absence of active exploitation is not a reliable indicator of low risk — it presents a crucial window of opportunity. Historical precedent demonstrates that exploitation is a question of "when," not "if."
The Canadian Impact
MFT in the Canadian Landscape
GoAnywhere MFT is widely adopted across Canadian critical sectors — financial services (PCI DSS compliance), healthcare (ePHI/EHR security), and government agencies (including Library and Archives Canada). This widespread adoption means a single critical vulnerability could expose a vast cross-section of Canada's most sensitive data.
Canadian Victims: Documented Breaches
The Clop ransomware group's 2023 campaign, which exploited CVE-2023-0669, directly impacted Canadian organizations:
Mackenzie Investments
One of Canada's largest investment firms was compromised not through direct use of GoAnywhere MFT, but when its third-party vendor, InvestorCOM Inc., was breached. The incident exposed Social Insurance Numbers (SINs), names, and addresses of thousands of clients. A class-action lawsuit was subsequently filed against Mackenzie Financial for failing to ensure adequate security of its third-party provider's systems.
Investissement Québec
A major Quebec-based financing firm confirmed as a direct victim, with data belonging to employees compromised through the GoAnywhere exploitation campaign.
The Mackenzie Investments case demonstrates that an organization's cybersecurity posture is inextricably linked to the security of its vendors. A vulnerability in a third-party tool — even one used for seemingly benign file transfer — can lead to legally actionable, financially devastating breaches for the parent company.
Regulatory and Economic Implications
Exposure of SINs directly triggers obligations under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations must report any breach posing a "real risk of significant harm" (RROSH) to the Office of the Privacy Commissioner and notify affected individuals without delay. The repeated compromise of sensitive data across Canadian sectors constitutes a systemic risk to the Canadian economy, as noted by both the IMF and OSFI.
Strategic Defense with Mjolnir Security
Mjolnir Security provides a comprehensive suite of services designed to address the full lifecycle of the GoAnywhere MFT threat — from immediate response to long-term resilience.
- Immediate Response — DFIR: For suspected or confirmed breaches, Mjolnir's Digital Forensics and Incident Response team can be engaged via its 24/7 Incident Hotline. Experts search for specific IoCs including unauthorized tools like Netcat, files like Errors.jsp, and the critical error message
SignedObject.getObject. - Proactive Defense — Penetration Testing: Canadian-based experts go beyond automated scans, using certified ethical hackers to identify complex logic flaws and attack chains that automated tools miss. Simulates real-world adversary TTPs against your MFT infrastructure.
- Continuous Monitoring — Managed Security: Provides 24/7 monitoring and analysis to detect exploitation attempts and respond in real time.
- Strategic Leadership — vCISO: Executive-level guidance to develop a security roadmap, manage third-party risk, and ensure PIPEDA compliance.
Strategic Recommendations
- Prioritize Immediate Remediation: Apply vendor patches (v7.8.4 / Sustain 7.6.3) or restrict external access to the GoAnywhere Admin Console immediately.
- Engage Proactive Security Services: Commission penetration testing to identify and remediate vulnerabilities within MFT infrastructure and the broader network before exploitation occurs.
- Establish a Robust Incident Response Plan: Develop and practice a customized IR playbook tailored to your specific environment. The 24/7 Incident Hotline should be a pre-planned point of contact.
- Adopt a Strategic Cybersecurity Mindset: Integrate cybersecurity as a core business function through vCISO services — managing third-party risk, ensuring regulatory compliance, and aligning security investments with business objectives.
The time to act is now. The pattern of exploitation is clear, and the Canadian precedent is already set. By partnering with a comprehensive security provider like Mjolnir Security, Canadian businesses can transform a period of elevated risk into an opportunity to build enduring resilience.
References
- "Maximum severity vulnerability in GoAnywhere MFT License Servlet," Field Effect. fieldeffect.com
- "CVE-2025-10035: Critical GoAnywhere MFT Vulnerability," SOCRadar. socradar.io
- "Profile: TA505 / CL0P ransomware," Canadian Centre for Cyber Security. cyber.gc.ca
- "More Clop GoAnywhere attack victims emerge," SC Media. scworld.com
- "Data breach at major investment firm raises alarm," Insurance Business. insurancebusinessmag.com
- "Mackenzie Financial Investments Class Action," Newswire. newswire.ca
- "CVE-2025-10035 — Critical unauthenticated RCE," Rapid7. rapid7.com
- "CVE-2025-10035: Maximum-Severity Command Injection," Arctic Wolf. arcticwolf.com
- "Cyberattacks: The Burgeoning Threat to Canada's Economy," Desjardins. desjardins.com
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts