Microsoft: Critical GoAnywhere Bug Exploited in Ransomware Attacks CVE-2025-10035
Estimated reading time: 7 minutes
Key takeaways:
- CVE-2025-10035 is a critical vulnerability in Fortra’s GoAnywhere MFT tool.
- Storm-1175 cybercrime group is actively exploiting this vulnerability in Medusa ransomware attacks.
- Organizations using GoAnywhere MFT should immediately apply the patch released by Fortra.
Table of Contents:
- CVE-2025-10035: GoAnywhere MFT Deserialization Vulnerability
- Exploitation by Storm-1175 in Medusa Ransomware Attacks
- Impact on Critical Infrastructure
- GoAnywhere MFT Instances Exposed Online
- Mitigation Strategies
- Practical Takeaways
- PurpleOps and Threat Intelligence
- FAQ
CVE-2025-10035: GoAnywhere MFT Deserialization Vulnerability
The vulnerability, CVE-2025-10035, lies within the License Servlet of Fortra’s GoAnywhere MFT software. It is caused by a deserialization of untrusted data weakness, allowing for remote exploitation with low complexity and without requiring user interaction. The Common Vulnerability Scoring System (CVSS) score is not explicitly mentioned, but the description implies a high-severity rating due to its ease of exploitation and potential impact.
Exploitation by Storm-1175 in Medusa Ransomware Attacks
Microsoft has confirmed that the Storm-1175 threat group, a known affiliate of the Medusa ransomware operation, has been actively exploiting CVE-2025-10035 since at least September 11, 2025. WatchTowr Labs researchers had previously identified the exploitation of this flaw as a zero-day vulnerability.
The attack chain observed by Microsoft involves several stages:
- Initial Access: Exploitation of the GoAnywhere MFT deserialization vulnerability.
- Persistence: Abuse of remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent.
- Reconnaissance: Use of Netscan for network discovery.
- Lateral Movement: Execution of commands for user and system discovery, followed by lateral movement through the network using the Microsoft Remote Desktop Connection client (mtsc.exe).
- Data Exfiltration: Deployment of Rclone to exfiltrate stolen files.
- Encryption: Deployment of Medusa ransomware payloads to encrypt victim’s files.
This multi-stage approach allows the attackers to gain a foothold, maintain access, identify valuable data, and ultimately encrypt systems for ransom.
Impact on Critical Infrastructure
In March 2025, CISA, along with the FBI and MS-ISAC, issued a joint advisory stating that the Medusa ransomware operation had impacted over 300 critical infrastructure organizations across the United States. This highlights the potential for significant disruption and damage resulting from successful Medusa ransomware attacks.
GoAnywhere MFT Instances Exposed Online
The Shadowserver Foundation is currently monitoring over 500 GoAnywhere MFT instances exposed online. While it is unclear how many of these have been patched, the high number of exposed instances suggests a significant attack surface for potential exploitation. This underscores the importance of promptly applying security patches and implementing appropriate network security measures.
Mitigation Strategies
Fortra released a patch for CVE-2025-10035 on September 18, 2025. Organizations using GoAnywhere MFT are strongly advised to upgrade to the latest version immediately. Additionally, Fortra recommends inspecting log files for stack trace errors containing the “SignedObject.getObject” string to determine if instances have been compromised.
Practical Takeaways
Technical Readers
- Patch Immediately: Upgrade GoAnywhere MFT to the latest version to remediate CVE-2025-10035.
- Log Analysis: Examine GoAnywhere MFT log files for “SignedObject.getObject” stack trace errors indicating potential compromise.
- RMM Tool Monitoring: Review the usage of remote monitoring and management (RMM) tools. Unusual activity from tools like SimpleHelp and MeshAgent may indicate malicious activity.
- Network Segmentation: Ensure proper network segmentation to limit lateral movement in the event of a successful breach.
- Endpoint Detection and Response (EDR): Ensure robust EDR solutions are in place to detect and respond to malicious activity, including ransomware deployment.
- Monitor for real-time ransomware intelligence to adapt defenses quickly. Consider using a live ransomware API to integrate threat data into security tools.
- Implement breach detection mechanisms to identify and respond to security incidents promptly.
- Implement supply-chain risk monitoring, especially to assess the security posture of third-party vendors.
- Utilize underground forum intelligence to gain insights into emerging threats and vulnerabilities.
Business Leaders
- Prioritize Patching: Ensure a process is in place for the timely patching of critical vulnerabilities.
- Incident Response Plan: Review and update incident response plans to include specific steps for ransomware attacks.
- Security Awareness Training: Provide regular security awareness training to employees to help them identify and avoid phishing attacks and other social engineering tactics.
- Cyber Insurance: Consider cyber insurance to mitigate the financial impact of a successful ransomware attack.
- Implement brand leak alerting systems to protect the company’s reputation and data integrity.
PurpleOps and Threat Intelligence
PurpleOps offers a suite of services that can help organizations defend against threats like the Medusa ransomware and vulnerabilities like CVE-2025-10035. Our cyber threat intelligence platform provides actionable insights into emerging threats, allowing organizations to proactively identify and mitigate risks. We offer a comprehensive dark web monitoring service to detect compromised credentials and sensitive data that may be used in ransomware attacks. Our services also include telegram threat monitoring to stay ahead of emerging threats.
Our real-time ransomware intelligence services enable you to rapidly adapt your defenses, while our supply-chain risk monitoring capabilities help you assess the security posture of your vendors. By leveraging our underground forum intelligence, you can gain insights into attacker tactics and techniques, allowing you to better protect your organization.
To learn more about how PurpleOps can help you strengthen your cybersecurity posture and protect against ransomware threats, please visit our platform overview or contact us for a PurpleOps Solutions.
FAQ
What is CVE-2025-10035?
CVE-2025-10035 is a critical deserialization vulnerability in Fortra’s GoAnywhere MFT software that allows for remote exploitation.
Who is exploiting this vulnerability?
The Storm-1175 cybercrime group, affiliated with the Medusa ransomware operation, is actively exploiting CVE-2025-10035.
How can I protect my organization?
Apply the latest patch released by Fortra for GoAnywhere MFT, monitor logs for suspicious activity, and implement robust security measures such as network segmentation and EDR solutions.