A newly disclosed critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) platform, tracked as CVE-2025-10035, has become the focal point of a widespread ransomware campaign. Microsoft has attributed the exploitation of the flaw to the threat actor Storm-1175, known for deploying the Medusa ransomware. The vulnerability, which carries the maximum CVSS score of 10.0, is already being exploited in the wild and has led to multiple confirmed intrusions.
Microsoft Links Storm-1175 to Medusa Ransomware Through GoAnywhere Exploit
Storm-1175, a cybercriminal group operating Medusa ransomware campaigns, has been exploiting a deserialization vulnerability in GoAnywhere’s License Servlet Admin Console. According to Microsoft and corroborated by several cybersecurity firms, exploitation activities began as early as September 10, 2025—eight days before a fix was released by Fortra.
The rapid weaponization of CVE-2025-10035 highlights the increasing sophistication of ransomware affiliates and their ability to rapidly operationalize new zero-day vulnerabilities.
Vulnerability Overview: Unauthenticated Command Injection via License Servlet
CVE-2025-10035 arises from an insecure deserialization flaw in GoAnywhere’s License Servlet Admin Console. The vulnerability allows threat actors to forge a malicious license response signature, enabling command injection without any form of authentication. This leads to remote code execution (RCE) on affected servers.
Key characteristics of the flaw include:
- It does not require user interaction or valid credentials to exploit.
- It allows arbitrary deserialization of attacker-controlled objects.
- Exploitation can be conducted remotely over the internet if the MFT instance is publicly accessible.
Researchers from WatchTowr Labs confirmed that exploitation had already begun by September 10, with Microsoft confirming related malicious activity by September 11. Fortra released the necessary patch on September 18. However, Microsoft notes that as of early October, more than 500 GoAnywhere MFT instances remained exposed online, underscoring the urgency of the threat.
Breakdown of the Storm-1175 Attack Chain
Microsoft and multiple threat intelligence sources have provided detailed insights into the multi-phase intrusion sequence associated with this campaign.
Persistence Achieved via Remote Management Tools
After successfully exploiting the GoAnywhere flaw for initial access, Storm-1175 maintains persistence using remote monitoring and management (RMM) software. The group has primarily leveraged:
- SimpleHelp
- MeshAgent
These tools provide remote access capabilities and make detection more difficult, as they may resemble legitimate administrative activity.
Web Shells and Lateral Movement Facilitate Deeper Infiltration
Post-access, the attackers deploy .jsp web shell files into GoAnywhere directories to maintain control. Once established, they conduct:
- System and user enumeration
- Network scanning
- Lateral movement using native Windows utilities like `mstsc.exe` (Microsoft Terminal Services Client)
Data Exfiltration with Rclone Precedes Ransomware Deployment
Before launching the Medusa ransomware payload, Storm-1175 uses the open-source command-line tool Rclone to exfiltrate sensitive corporate data. Communication with command-and-control (C2) infrastructure was observed to be tunneled through Cloudflare , providing obfuscation and resiliency.
In at least one confirmed case, the ransomware payload was subsequently deployed, locking files and issuing ransom demands typical of Medusa operations.
Microsoft Urges Immediate Mitigation and Patching
Microsoft is advising all organizations using GoAnywhere MFT to:
- Upgrade to the latest patched version available from Fortra.
- Immediately isolate or remove GoAnywhere from public-facing environments if patching is not possible.
- Monitor for known indicators of compromise (IOCs) associated with this campaign, including:
* Presence of `MeshAgent` or `SimpleHelp` on systems * Suspicious `.jsp` files within application directories * Unusual use of `mstsc.exe` or Rclone
Security Community Response and Vendor Transparency
While Microsoft and cybersecurity researchers have widely disseminated technical advisories, some security experts have criticized Fortra for delayed and limited disclosure about the flaw’s exploitation during the initial weeks. This window likely facilitated exploitation by ransomware gangs including Storm-1175.
Despite the patch being released on September 18, many organizations remain unaware or unable to apply the fix promptly, leaving them vulnerable.
Medusa Ransomware and Storm-1175 Continue Expanding Targeting Scope
Storm-1175 and its alignment with Medusa ransomware demonstrate a focused, technically capable adversary actively abusing high-profile enterprise software vulnerabilities. CVE-2025-10035 reflects the broader trend of leveraging insecure deserialization bugs—especially those requiring no authentication—to gain rapid footholds in enterprise environments.
Organizations using GoAnywhere should combine software patching with continuous exposure analysis, threat hunting for known TTPs (tactics, techniques, and procedures), and staff awareness training.
The critical nature of CVE-2025-10035, the weaponization by advanced ransomware actors, and the slow patch adoption across enterprises amplify the urgency for defensive readiness. With over 500 internet-facing GoAnywhere servers still unpatched, the attack surface remains dangerously wide open.
