- CVE-2025-10035 in GoAnywhere MFT is exploited by the Storm-1175 ransomware group
- The vulnerability allows unauthenticated remote code execution; Medusa ransomware deployed in at least one case
- Patch released September 18; over 500 instances remain exposed, requiring immediate upgrades or mitigations
Microsoft warns that a ransomware group is exploiting a recently discovered maximum severity vulnerability in GoAnywhere Managed File Transfer (MFT).
Fortra recently said it discovered and fixed a deserialization vulnerability in the licensing servlet of GoAnywhere MFT, a tool that helps businesses send and receive files securely.
The flaw, identified as CVE-2025-10035 and rated maximum severity (10/10 – critical), allows malicious actors with a validly forged license response signature to deserialize an arbitrary object controlled by an actor, “potentially leading to command injection.”
Storm-1175
Shortly after, security researchers WatchTowr Labs reported finding “credible evidence” that the bug was being used as a zero-day, as early as September 10. However, at the time, there was no question of attribution – we didn’t know who used the bug, for what purpose, and against which companies.
Today, Microsoft released a new report, pointing the finger at a threat actor it tracks under the name Storm-1175.
“Microsoft Defender researchers identified exploitation activities across multiple organizations aligned with tactics, techniques, and procedures (TTPs) attributed to Storm 1175,” Microsoft said in the report. “Associated activity was observed on September 11, 2025.”
Microsoft also said that the group used this vulnerability to infect its targets with the Medusa ransomware strain.
“Ultimately, in a compromised environment, the successful deployment of Medusa ransomware was observed,” he concludes.
The patch for this vulnerability was released on September 18, but it can be assumed that not all of them have been fixed yet. The Shadowserver Foundation says there are currently more than 500 GoAnywhere MFT instances exposed online, but it’s unclear how many of them are patched.
The best way to protect against attacks is to upgrade to a patched version, either the latest version (7.8.4) or Sustain version 7.6.3.
Those who cannot apply the patch at this time can remove GoAnywhere from the public Internet through the admin console, and those who suspect they may have been targeted should inspect log files for errors containing the string “SignedObject.getObject.”
Via BeepComputer
