Fortra GoAnywhere MFT 7.x Vulnerability Scanner

The Fortra GoAnywhere MFT 7.x Vulnerability Scanner is a specialized The Fortra GoAnywhere MFT 7.x Vulnerability Scanner is a specialized tool designed to identify security weaknesses and misconfigurations within GoAnywhere MFT installations running version 7.x.

It assesses the system against known vulnerabilities (including CVEs), security best practices, and common configuration errors. The scanner helps organizations proactively detect potential attack vectors, strengthen their MFT security posture, and maintain compliance standards.

It typically generates reports detailing identified risks and providing actionable recommendations for remediation. This ensures the secure and reliable transfer of sensitive data, minimizing exposure to threats.

=============================================================================================================================================
| # Title : Fortra GoAnywhere MFT v7.x Vulnerability Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.fortra.com/products/secure-managed-file-transfer-software |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/209735/ & CVE-2025-10035

[+] Summary : A deserialization vulnerability exists in GoAnywhere MFT that may allowremote unauthorized access.
This PoC scans for potentially vulnerable versions based on remote fingerprinting.

[Usage]
php scan.php -t 11.22.33.44 -p 443
php scan.php -f targets.txt

[Target Format]
11.22.33.44
11.22.33.55:8443

[JSON Output]
Stored in "attack_results.json"

[Notes]
This is NOT an exploit. It only identifies possible vulnerable deployments.


[+] POC :

<?php
/**
* Author: Indoushka
*/

error_reporting(0);

// ================= CONFIG ==================
define("EXPORT_JSON", "attack_results.json");
define("TIMEOUT", 10);
define("USER_AGENT", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36");

$LATEST_MIN = "7.7.0";
$LATEST_MAX = "7.8.4";
$SUSTAIN_MAX = "7.6.3";

// ===========================================

function http_get($url) {
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_TIMEOUT => TIMEOUT,
CURLOPT_USERAGENT => USER_AGENT
]);
$body = curl_exec($ch);
$info = curl_getinfo($ch);
$err = curl_error($ch);
curl_close($ch);
return [$body, $info, $err];
}

function build_target_url($host, $port) {
if (!$host || !is_numeric($port) || $port < 1 || $port > 65535)
return [null, "Invalid host or port"];
return ["http://{$host}:{$port}/", null];
}

function version_compare_range($ver,$min,$max) {
return (version_compare($ver,$min)>=0 && version_compare($ver,$max)<0);
}

function check_target($base_url) {
$url = rtrim($base_url,'/')."/goanywhere/auth/Login.xhtml";
list($body,$info,$err) = http_get($url);

if ($err)
return ["target"=>$base_url,"status"=>"Error","reason"=>$err];

if ($info["http_code"] == 0)
return ["target"=>$base_url,"status"=>"Error","reason"=>"Connection failed"];

if (strpos($body,"GoAnywhere Managed File Transfer") === false)
return ["target"=>$base_url,"status"=>"Not vulnerable","reason"=>"Not GoAnywhere"];

if (!preg_match("/GoAnywhere\s+([0-9]+\.[0-9]+\.[0-9]+)/",$body,$m))
return ["target"=>$base_url,"status"=>"Unknown","reason"=>"Version not found"];

$ver = $m[1];

global $LATEST_MIN,$LATEST_MAX,$SUSTAIN_MAX;

if (version_compare_range($ver,$LATEST_MIN,$LATEST_MAX))
return ["target"=>$base_url,"status"=>"Vulnerable","version"=>$ver,"reason"=>"Within vulnerable range"];

if (version_compare($ver,$SUSTAIN_MAX) < 0)
return ["target"=>$base_url,"status"=>"Vulnerable","version"=>$ver,"reason"=>"Below sustain patch"];

return ["target"=>$base_url,"status"=>"Not vulnerable","version"=>$ver,"reason"=>"Not within affected range"];
}

function read_targets_file($file) {
$targets = [];
if (!file_exists($file))
return $targets;
$lines = file($file,FILE_IGNORE_NEW_LINES);
foreach ($lines as $line) {
$line = trim($line);
if (!$line || $line[0]==="#") continue;
$x = explode(":",$line);
$host = trim($x[0]);
$port = isset($x[1]) ? intval($x[1]) : 80;
if (!$host || $port<1 || $port>65535) continue;
$targets[] = [$host,$port];
}
return $targets;
}

function save_results($results) {
file_put_contents(EXPORT_JSON,json_encode($results,JSON_PRETTY_PRINT|JSON_UNESCAPED_UNICODE));
}

// ================== CLI =====================
function main() {
global $argv,$argc;
$results = [];

if ($argc<2) {
echo "Usage:\n";
echo "php scan.php -t 1.1.1.1 -p 80\n";
echo "php scan.php -f targets.txt\n";
exit;
}

$target=null; $file=null; $port=80;

for ($i=1;$i<$argc;$i++) {
if ($argv[$i]=="-t") $target = $argv[$i+1] ?? null;
if ($argv[$i]=="-p") $port = intval($argv[$i+1] ?? 80);
if ($argv[$i]=="-f") $file = $argv[$i+1] ?? null;
}

if ($file) {
$targets = read_targets_file($file);
} elseif ($target) {
$targets = [[$target,$port]];
} else {
echo "Error: Provide -t or -f\n";
exit;
}

foreach ($targets as $T) {
list($url,$err) = build_target_url($T[0],$T[1]);
if ($err) {
$results[] = ["target"=>$T[0].":".$T[1],"status"=>"Error","reason"=>$err];
continue;
}
echo "[+] Scanning: $url\n";
$r = check_target($url);
echo " => {$r["status"]} | {$r["reason"]}\n";
$r["timestamp"] = date("c");
$results[] = $r;
}

save_results($results);
echo "\nSaved results: ".EXPORT_JSON."\n";
}

main();


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================