Fortra’s GoAnywhere Managed File Transfer (MFT) was exploited via CVE-2025-10035, a critical zero-day deserialization vulnerability (CVSS 10.0) in its License Servlet Admin Console (versions ≤ 7.8.3). The Storm-1175 threat group weaponized the flaw to achieve unauthenticated remote code execution (RCE), leading to widespread network compromise. Attackers deployed web shells (.jsp), remote monitoring tools (SimpleHelp, MeshAgent), and conducted lateral movement via RDP (mstsc.exe) while exfiltrating data using Rclone. The final payload was Medusa ransomware, encrypting systems and demanding ransom for decryption keys. The attack disrupted operations, risked sensitive data exposure, and threatened business continuity. Mitigation required emergency patching, EDR/XDR deployment, and network isolation to prevent further damage. The incident highlights severe risks from unpatched critical vulnerabilities in enterprise file-transfer systems, exposing organizations to financial loss, reputational harm, and operational shutdowns if exploited.
Source: https://cyberpress.org/goanywhere-0-day-rce/
TPRM report: https://www.rankiteo.com/company/fortra
"id": "for1232312100725",
"linkid": "fortra",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'File transfer/IT security',
'name': 'Fortra (GoAnywhere MFT)',
'type': 'Software vendor'}],
'attack_vector': ['Network-based exploitation',
'Deserialization flaw (CVE-2025-10035)',
'Remote code execution (RCE)',
'Web shells (.jsp)',
'RMM tools (SimpleHelp, MeshAgent)'],
'customer_advisories': ['Fortra urged customers to patch immediately and '
'investigate for signs of compromise.'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': '2025-09-11',
'date_publicly_disclosed': '2025-09-11',
'description': 'A critical zero-day vulnerability (CVE-2025-10035) in '
'GoAnywhere Managed File Transfer’s (MFT) License Servlet is '
'being actively exploited by the Storm-1175 threat group to '
'deploy Medusa ransomware. The deserialization flaw (CVSS '
'10.0) allows remote code execution (RCE) on unpatched, '
'internet-facing instances (≤ v7.8.3). Exploitation involves '
'bypassing signature verification via malicious license '
'responses, enabling system discovery, privilege escalation, '
'lateral movement, and ransomware deployment. Mitigation '
'requires immediate patching, network restrictions, EDR/XDR '
'deployment, and monitoring for web shells and C2 traffic.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'downtime': True,
'operational_impact': True,
'systems_affected': True},
'initial_access_broker': {'backdoors_established': ['Web shells (.jsp)',
'RMM tools (SimpleHelp, '
'MeshAgent)'],
'entry_point': 'GoAnywhere MFT License Servlet '
'(CVE-2025-10035)',
'high_value_targets': ['Admin consoles',
'File transfer systems',
'Lateral movement via RDP']},
'investigation_status': 'Ongoing (as of disclosure date)',
'lessons_learned': ['Zero-day vulnerabilities in file transfer tools pose '
'severe risks due to high privilege levels.',
'Internet-facing admin consoles are prime targets for RCE '
'exploits.',
'RMM tools can be weaponized for persistence and C2 if '
'not strictly controlled.',
'Patching alone is insufficient if systems are already '
'compromised; forensic investigation is critical.'],
'motivation': ['Financial gain (ransomware)',
'Data theft',
'Network compromise'],
'post_incident_analysis': {'corrective_actions': ['Patch management overhaul '
'for critical systems.',
'Reduction of attack '
'surface (e.g., air-gapping '
'admin consoles).',
'Enhanced EDR/XDR coverage '
'for file transfer tools.',
'Implementation of '
'behavioral detection for '
'deserialization attacks.',
'Restriction of RMM tool '
'usage to authorized '
'channels.'],
'root_causes': ['Unpatched zero-day vulnerability '
'(CVE-2025-10035) in License '
'Servlet.',
'Lack of signature verification '
'resilience in deserialization '
'process.',
'Internet-facing deployment of '
'high-privilege admin console.',
'Insufficient monitoring for '
'exploitation attempts (e.g., '
'License Servlet traffic '
'anomalies).']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': True,
'ransomware_strain': 'Medusa'},
'recommendations': ['Immediately upgrade GoAnywhere MFT to the latest patched '
'version (> 7.8.3).',
'Isolate GoAnywhere servers from the internet or restrict '
'outbound access.',
'Deploy EDR/XDR solutions in block mode to intercept '
'post-exploitation activity.',
'Monitor for unusual License Servlet traffic (signature '
'verification failures).',
'Use attack surface reduction rules to prevent web shell '
'deployment.',
'Conduct thorough investigations of potentially '
'compromised hosts.',
'Leverage Microsoft Defender Vulnerability Management for '
'unified visibility.',
'Implement network segmentation to limit lateral '
'movement.'],
'references': [{'date_accessed': '2025-09-11',
'source': 'Microsoft Threat Intelligence'},
{'source': 'Fortra Security Advisory (CVE-2025-10035)'}],
'response': {'containment_measures': ['Patch deployment (GoAnywhere MFT > '
'7.8.3)',
'Restrict outbound internet access from '
'GoAnywhere servers',
'Block malicious downloads/C2 '
'communications'],
'enhanced_monitoring': ['License Servlet traffic',
'EDR/XDR alerts',
'RMM tool usage'],
'incident_response_plan_activated': True,
'recovery_measures': ['Leverage XDR for unified visibility',
'Monitor License Servlet traffic for '
'signature verification failures',
'Use external attack surface management '
'tools to discover unpatched instances'],
'remediation_measures': ['Investigate compromised hosts (patch '
'does not remediate existing '
'infections)',
'Deploy EDR in block mode',
'Enable automated '
'investigation/remediation workflows',
'Apply attack surface reduction rules '
'(web shell prevention, executable '
'restrictions)']},
'threat_actor': {'associated_malware': ['Medusa ransomware',
'SimpleHelp',
'MeshAgent',
'Rclone'],
'name': 'Storm-1175',
'tactics_techniques_procedures': ['Initial access via '
'CVE-2025-10035 '
'exploitation',
'RCE via malicious license '
'response deserialization',
'Persistence via web '
'shells (.jsp)',
'Lateral movement via RDP '
'(mstsc.exe)',
'C2 via RMM tools tunneled '
'through Cloudflare',
'Data exfiltration via '
'Rclone',
'Ransomware deployment '
'(Medusa)']},
'title': 'Critical Zero-Day Exploitation in GoAnywhere MFT Leading to Medusa '
'Ransomware Deployment',
'type': ['Zero-day exploitation',
'Ransomware attack',
'Unauthorized access',
'Data exfiltration'],
'vulnerability_exploited': {'affected_component': 'GoAnywhere MFT License '
'Servlet Admin Console',
'affected_versions': '≤ 7.8.3',
'cve_id': 'CVE-2025-10035',
'cvss_score': 10.0,
'patch_status': 'Patch available in versions > '
'7.8.3',
'type': 'Deserialization flaw'}}