Ddos 
Microsoft Threat Intelligence has issued a warning following the discovery of active exploitation of a newly disclosed critical vulnerability in GoAnywhere Managed File Transfer (MFT) software by the cybercriminal group Storm-1175, known for deploying Medusa ransomware and exploiting exposed enterprise applications for initial access.
According to Microsoft, “On September 18, 2025, Fortra published a security advisory regarding a critical deserialization vulnerability in GoAnywhere MFT’s License Servlet, which is tracked as CVE-2025-10035 and has a CVSS score of 10.0.”
The vulnerability allows attackers to execute arbitrary code on unpatched servers — without authentication in certain cases.
The vulnerability affects GoAnywhere MFT Admin Console versions up to 7.8.3 and arises from improper deserialization of user-supplied input. The issue can be triggered when an attacker submits a forged license response signature, enabling deserialization of an attacker-controlled object and ultimately leading to command injection and remote code execution (RCE).
As Microsoft explains, “The vulnerability… enables an attacker to bypass signature verification by crafting a forged license response signature, which then allows the deserialization of arbitrary, attacker-controlled objects.”
Public reports further indicate that exploitation “does not require authentication if the attacker can craft or intercept valid license responses,” making it especially dangerous for internet-facing deployments.
The threat actor Storm-1175, previously observed distributing Medusa ransomware, has quickly adopted the vulnerability in targeted attacks. Microsoft’s researchers noted that exploitation attempts began shortly after disclosure.
“Microsoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175,” the report states. The observed intrusions began as early as September 11, 2025, just days before Fortra’s public advisory.
In these attacks, Storm-1175 executed a multi-stage operation:
- Initial Access: Exploiting the zero-day deserialization flaw in GoAnywhere MFT.
- Persistence: Dropping legitimate remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent, often stored under the GoAnywhere MFT process directories.
- Post-Exploitation: Creating malicious .jsp web shells, performing system and user discovery, and using netscan for network reconnaissance.
- Lateral Movement: Leveraging mstsc.exe (Microsoft Remote Desktop) to move laterally across the victim environment.
- Command & Control (C2): Establishing a Cloudflare tunnel for encrypted communications.
- Exfiltration & Impact: Using Rclone for data exfiltration and finally deploying Medusa ransomware.
As the report highlights, “The threat actor utilized RMM tools to establish their infrastructure and even set up a Cloudflare tunnel for secure C2 communication. During the exfiltration stage, the deployment and execution of Rclone was observed in at least one victim environment. Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed.”
Microsoft attributes this activity to Storm-1175’s known tactics of leveraging software vulnerabilities for initial access, followed by dual-use tool deployment for persistence and exfiltration. The observed use of legitimate RMM software highlights the group’s emphasis on living-off-the-land techniques to evade detection.
Microsoft strongly advises organizations to apply the patches provided by Fortra and monitor network environments for post-compromise indicators.
Related Posts:
- Medusa Exploits Fortinet Flaw (CVE-2023-48788) for Stealthy Ransomware Attacks
- CVE-2025-10035 (CVSS 10): Critical Deserialization Flaw in GoAnywhere MFT Exposes Enterprises to Remote Exploitation
- CVE-2024-0204 (CVSS 9.8): Critical Authentication Bypass Flaw in GoAnywhere MFT
- PoC Exploit Published for Fortra GoAnywhere MFT CVE-2024-0204 Vulnerability
- Medusa Ransomware: A Sinister Evolution in Cyber Extortion
Donate