Microsoft has reported that a threat actor it calls Storm-1175 is exploiting a critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) product. The attacks use a serious deserialization flaw in the GoAnywhere license servlet and have been tied to follow-up activity that included delivering Medusa ransomware.
The technical problem is an unauthenticated deserialization bug tracked as CVE-2025-10035. An attacker who can send a specially forged license response can force the server to deserialize attacker-controlled data. That unsafe deserialization can allow remote command execution on the affected server without any valid login.
This vulnerability is rated at the highest possible severity and is reachable over the Internet when the GoAnywhere Admin Console or license servlet is publicly accessible. Because it requires no authentication, attackers can exploit exposed servers directly and run commands inside the victim environment.
Security teams observed active exploitation around mid-September 2025, roughly when the vendor published an advisory and patches. In the observed incidents, attackers used the flaw as an initial access vector, then ran discovery and post-compromise actions to expand their foothold inside networks.
Microsoft’s analysis links the intrusion activity to Storm-1175 and shows that the group’s behavior included installing remote management tools, escalating privileges, moving laterally, and ultimately deploying Medusa ransomware in at least one confirmed case. The pattern of actions matches typical ransomware attack chains seen in other campaigns.
If your organization uses GoAnywhere, the immediate priority is to apply the vendor’s patches. The vendor released fixed versions for supported releases; installing those updates is the most reliable way to remove the vulnerability and stop the exploit from working.
If you cannot patch right away, block public access to the GoAnywhere Admin Console and the license servlet. Use firewall rules, network segmentation, or access controls to prevent direct Internet access to those interfaces until a patch is in place.
You should also hunt for signs of compromise. Check Admin Audit logs and application logs for anomalous entries, including errors or unusual deserialization traces. Look for unexpected remote management software, unfamiliar service installs, abnormal process launches, and lateral movement indicators.
Increase monitoring and prepare incident response steps. Ensure endpoint detection tools and SIEM rules can detect new remote access tools, unusual command executions, and privilege escalation attempts. Have a containment plan ready if you see evidence of intrusion.
This vulnerability and the associated exploitation have been confirmed by multiple trusted sources. The facts CVE identifier, unauthenticated deserialization leading to remote code execution, evidence of active exploitation, and the ransomware linkage are consistent across vendor advisories and threat intelligence reports.
Treat this as urgent if you run GoAnywhere on systems that are reachable from the Internet. Patch first, block public access if you cannot patch immediately, and actively hunt your logs and endpoints for signs of attacker activity.
If needed, prepare a simple internal alert for IT and operations teams that lists the patched versions to install, firewall rules to apply, and basic queries to search logs for suspicious entries. Acting quickly and following these steps will significantly lower the chance of a damaging ransomware incident.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
