- CVE-2025-10035 in GoAnywhere MFT is being exploited by ransomware group Storm-1175
- Vulnerability enables unauthenticated remote code execution; Medusa ransomware was deployed in at least one case
- Patch released September 18; over 500 instances remain exposed, urging immediate upgrades or mitigation
Microsoft is warning that a ransomware group is exploiting a maximum-severity vulnerability recently found in GoAnywhere Managed File Transfer (MFT).
Fortra recently said it discovered and patched a deserialization vulnerability in the License Servlet of GoAnywhere MFT, a tool that helps businesses send and receive files securely.
The flaw, tracked as CVE-2025-10035, and granted the maximum severity score (10/10 – critical) allows threat actors with a validly forged license response signature to deserialize an arbitrary actor-controlled object, “possibly leading to command injection.”
Storm-1175
Soon after, security researchers WatchTowr Labs reported finding “credible evidence” that the bug was being used as a zero-day, as early as September 10. However, at the time, there was no talk of attribution – we didn’t know who used the bug, for what purpose, and against which businesses.
Now, Microsoft released a new report, pointing the finger at a threat actor it tracks as Storm-1175.
“Microsoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175,” Microsoft said in the report. “Related activity was observed on September 11, 2025.”
Microsoft also said the group used the vulnerability to infect its targets with the Medusa ransomware strain.
“Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed,” it concluded.
The patch for the vulnerability was released on September 18, but it’s safe to assume that not all of them have already been fixed. The Shadowserver Foundation says there are currently more than 500 GoAnywhere MFT instances exposed online, but it’s unclear how many of those are patched.
The best way to protect against the attacks is to upgrade to a patched version, either the latest release (7.8.4), or the Sustain Release 7.6.3.
Those who cannot patch at this time can remove GoAnywhere from the public internet through the Admin Console, and those who suspect they may have been targeted should inspect log files for errors containing the string ‘SignedObject.getObject,’.
Via BleepingComputer
