Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035) (opens in new tab)

(labs.watchtowr.com)

44 pointsxn--yt9h6mo ago16 comments

16 comments

> We can’t see a path to exploit this without a valid private key. On paper, that should kill the bug dead.

The juicy theory bit:

    The vendor accidentally signed evil. Imagine this:
    When you activate your GoAnywhere product, your installation generates a serialized license request.
    It’s sent to the vendor’s license server (my.goanywhere.com)
    If someone slipped a malicious object inside that request and the vendor blindly signed it, attackers would now have a perfectly valid signed payload that works everywhere.

That would be wild if true. Basically this is a object serialization vulnerability exploited in the wild right now, but it only deserializes signed objects, so the author is speculating if their private key leaked, or even better, if the company signed the malicous payload themselves lol

deskamess6mo ago

So would the signed 'object' contain code? Or is it just data? And even if it is code, does deserializing mean execution? I guess it could mean execution at some other stage in the process.

What is the end-goal of this... would it be data exfiltration vs ransomware.

cogman106mo ago

Java object serialization can be super dangerous as it just works on any class that implements serializable.

That means if the shape of your object is something like

    class Foo implements Serializable {
      SerializableFunction bar;
      
      void doBar() {
        bar.apply();
      }
    }

You've created a class which an attacker can plug in any object which implements `SerializableFunction` into `bar`. That includes externally created functions!

Here's an article detailing exactly how that works: https://www.baeldung.com/java-serialize-lambda

lyu072826mo ago

It often results in remote code/command execution, its data that de-serializes into java objects. But during the instantiation or sometimes deconstruction of objects, code can be executed. Popular tool for java: https://github.com/frohoff/ysoserial

cwsx6mo ago

> What is the end-goal of this... would it be data exfiltration vs ransomware.

The end-goal is to gain complete access to the system - the outcome (data theft or ransomware) is customers choice

cogman106mo ago

Ah, my most hated enemy. Java Serialization.

I know that some JDK devs will argue that it's one thing that made Java popular. And I'm sure they are right. But man oh man if it's not one of the biggest footguns in the current JDK. It also constantly gets in the way of Java language development. They had to figure out, for example, "How do I serialize a lambda"? Which should really tell you just how ridiculous this thing is.

If there's one breaking change to the JDK that I'd welcome, it's the removal of Java serialization. But that will never happen because WAY too many companies depend on it.

chickenzzzzu6mo ago

Nothing will ever be funnier than the quote from that Java language designer guy, "Java Serialization is a full employment act for security engineers"

privatelypublic6mo ago

.Net has similar issues.

WorldMaker6mo ago

Since around .NET 5 the raw binary serializer (BinaryFormatter) throws danger warnings at compile time, generally doesn't work cross-platform, and most standard analysis configs upgrade those to compile errors. The documentation is full of similar danger warnings. It mostly remains for a backwards compatibility commitment, and most of the original use cases for BinaryFormatter have been generally all replaced with Span<T>, Memory<T>, and smarter "Unsafe" [0] Marshallers.

I'm not sure I'd call the situation similar.

[0] Unsafe in terms of doing memory access that can result in danger, but still far more safe than BinaryFormatter sledgehammers.

1 more reply

privatelypublic6mo ago

The idea that the session ViewState is a static encryption shared across all installs (unless I misread that)... speaks poorly of the software product in general.

moktonar6mo ago

Bugdoors like this will be the norm in a few years from now. Why spend the money and time and effort needed to pass something like chatcontr0l when you can just bugcontrol everything

ajsnigrutin6mo ago

Usually sites let you read a sentance or two before asking you to subscribe with a "popup"... this one doesn't even wait that long.

Bender6mo ago

Archive [1]

[1] - https://archive.is/OsSe0

j / k navigate · click thread line to collapse

16 comments

lyu072826mo ago

> We can’t see a path to exploit this without a valid private key. On paper, that should kill the bug dead.

The juicy theory bit:

    The vendor accidentally signed evil. Imagine this:
    When you activate your GoAnywhere product, your installation generates a serialized license request.
    It’s sent to the vendor’s license server (my.goanywhere.com)
    If someone slipped a malicious object inside that request and the vendor blindly signed it, attackers would now have a perfectly valid signed payload that works everywhere.

deskamess6mo ago

So would the signed 'object' contain code? Or is it just data? And even if it is code, does deserializing mean execution? I guess it could mean execution at some other stage in the process.

What is the end-goal of this... would it be data exfiltration vs ransomware.

cogman106mo ago

Java object serialization can be super dangerous as it just works on any class that implements serializable.

That means if the shape of your object is something like

    class Foo implements Serializable {
      SerializableFunction bar;
      
      void doBar() {
        bar.apply();
      }
    }

You've created a class which an attacker can plug in any object which implements `SerializableFunction` into `bar`. That includes externally created functions!

Here's an article detailing exactly how that works: https://www.baeldung.com/java-serialize-lambda

lyu072826mo ago

cwsx6mo ago

> What is the end-goal of this... would it be data exfiltration vs ransomware.

The end-goal is to gain complete access to the system - the outcome (data theft or ransomware) is customers choice

cogman106mo ago

Ah, my most hated enemy. Java Serialization.

If there's one breaking change to the JDK that I'd welcome, it's the removal of Java serialization. But that will never happen because WAY too many companies depend on it.

chickenzzzzu6mo ago

Nothing will ever be funnier than the quote from that Java language designer guy, "Java Serialization is a full employment act for security engineers"

privatelypublic6mo ago

.Net has similar issues.

WorldMaker6mo ago

I'm not sure I'd call the situation similar.

[0] Unsafe in terms of doing memory access that can result in danger, but still far more safe than BinaryFormatter sledgehammers.

1 more reply

privatelypublic6mo ago

The idea that the session ViewState is a static encryption shared across all installs (unless I misread that)... speaks poorly of the software product in general.

moktonar6mo ago

Bugdoors like this will be the norm in a few years from now. Why spend the money and time and effort needed to pass something like chatcontr0l when you can just bugcontrol everything

ajsnigrutin6mo ago

Usually sites let you read a sentance or two before asking you to subscribe with a "popup"... this one doesn't even wait that long.

Bender6mo ago

Archive [1]

[1] - https://archive.is/OsSe0

j / k navigate · click thread line to collapse