A pre-auth deserialization vulnerability in the UserService servlet. Attackers bypassed all authentication and executed remote code as system user. : Air-gapped admin interfaces and immediate patching are non-negotiable. No amount of config hardening stops unauthenticated RCE in the web tier.
The security of GoAnywhere MFT is built upon a multi-layered approach that protects data in various states and environments. GoAnywhere MFT System Architecture Guide - Amazon S3 goanywhere core security