The CVE-2025-10035 vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT)—a critical deserialization flaw in the License Servlet—was exploited as a zero-day by the Storm-1175 ransomware group (linked to Medusa ransomware). The flaw, rated 10/10 (Critical), allows unauthenticated remote code execution (RCE) via forged license signatures, enabling attackers to inject arbitrary commands. Microsoft confirmed exploitation across multiple organizations, with at least one confirmed Medusa ransomware deployment post-compromise.Over 500 unpatched GoAnywhere MFT instances remain exposed online, risking further attacks. While Fortra released patches (7.8.4 or Sustain Release 7.6.3) on September 18, 2025, delayed updates leave systems vulnerable. The attack chain involves initial access via CVE-2025-10035, followed by ransomware deployment, potentially leading to full data encryption, operational disruption, and financial extortion demands. Organizations failing to patch or mitigate (e.g., removing public internet exposure) face severe data breaches, reputational damage, and regulatory penalties. Logs showing ‘SignedObject.getObject’ errors may indicate compromise.
TPRM report: https://www.rankiteo.com/company/fortra
"id": "for3493534100725",
"linkid": "fortra",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Multiple organizations (exact '
'number undisclosed)',
'industry': 'Cybersecurity/File Transfer Solutions',
'name': 'Fortra (GoAnywhere MFT)',
'type': 'Software Vendor'}],
'attack_vector': ['Unauthenticated Remote Code Execution (RCE)',
'Deserialization Vulnerability (CVE-2025-10035)'],
'customer_advisories': ['Urgent patching notice for GoAnywhere MFT users',
'Mitigation guidance for unpatched systems'],
'data_breach': {'data_encryption': ['Likely (Medusa ransomware deployment)']},
'date_detected': '2025-09-10',
'date_publicly_disclosed': '2025-09-18',
'description': 'CVE-2025-10035, a critical deserialization vulnerability in '
'GoAnywhere Managed File Transfer (MFT), is being actively '
'exploited by the ransomware group Storm-1175 to deploy Medusa '
'ransomware. The flaw, patched on September 18, 2025, allows '
'unauthenticated remote code execution via forged license '
'response signatures. Over 500 exposed instances remain '
'unpatched, posing significant risk. Microsoft confirmed '
"exploitation aligned with Storm-1175's TTPs, with attacks "
'observed as early as September 11, 2025.',
'impact': {'brand_reputation_impact': ['High (associated with ransomware '
'deployment)'],
'operational_impact': ['Potential file transfer disruptions',
'System compromise via RCE'],
'systems_affected': ['GoAnywhere MFT instances (500+ exposed)']},
'initial_access_broker': {'entry_point': 'GoAnywhere MFT License Servlet '
'(CVE-2025-10035)',
'high_value_targets': ['File transfer systems',
'Enterprise data '
'repositories']},
'investigation_status': 'Ongoing (Microsoft and third-party researchers '
'active)',
'lessons_learned': ['Critical vulnerabilities in file transfer solutions are '
'high-value targets for ransomware groups.',
'Delayed patching exposes organizations to rapid '
'exploitation (zero-day to public disclosure in 8 days).',
'Public-facing administrative interfaces (e.g., License '
'Servlet) require strict access controls.'],
'motivation': ['Financial Gain (Ransomware)', 'Data Theft/Encryption'],
'post_incident_analysis': {'corrective_actions': ['Patch management process '
'review',
'Enhanced code audits for '
'deserialization risks',
'Reduction of attack '
'surface (e.g., removing '
'public internet exposure)'],
'root_causes': ['Deserialization vulnerability in '
'License Servlet (CVE-2025-10035)',
'Inadequate input validation for '
'license response signatures',
'Public exposure of administrative '
'interfaces']},
'ransomware': {'data_encryption': True, 'ransomware_strain': 'Medusa'},
'recommendations': ['Immediately patch GoAnywhere MFT to versions 7.8.4 or '
'7.6.3.',
'Remove GoAnywhere from public internet exposure if '
'patching is delayed.',
"Monitor logs for 'SignedObject.getObject' errors as "
'indicators of exploitation.',
'Segment networks to limit lateral movement '
'post-exploitation.',
'Deploy behavioral detection tools (e.g., Microsoft '
'Defender) to identify anomalous activity.'],
'references': [{'source': 'BleepingComputer'},
{'date_accessed': '2025-09-18',
'source': 'Microsoft Defender Threat Intelligence Report'},
{'source': 'Shadowserver Foundation'},
{'date_accessed': '2025-09-10', 'source': 'WatchTowr Labs'}],
'response': {'containment_measures': ['Upgrade to patched versions (7.8.4 or '
'Sustain Release 7.6.3)',
'Remove GoAnywhere from public internet '
'via Admin Console'],
'enhanced_monitoring': ['Microsoft Defender (for detection)'],
'remediation_measures': ['Inspect log files for errors '
"containing 'SignedObject.getObject'",
'Apply patches immediately'],
'third_party_assistance': ['Microsoft Defender Threat '
'Intelligence']},
'stakeholder_advisories': ['Fortra security advisory (patch release)',
'Microsoft Defender threat alert'],
'threat_actor': 'Storm-1175',
'title': 'Exploitation of CVE-2025-10035 in GoAnywhere MFT by Storm-1175 '
'Deploying Medusa Ransomware',
'type': ['Vulnerability Exploitation', 'Ransomware Attack'],
'vulnerability_exploited': 'CVE-2025-10035 (Critical, CVSS 10.0) - '
'Deserialization in License Servlet of GoAnywhere '
'MFT'}