Microsoft Threat Intelligence details the exploitation of CVE-2025-10035 in GoAnywhere MFT by Storm-1175, sharing technical analysis, detection methods, and guidance for mitigation and protection.

Investigating Active Exploitation of CVE-2025-10035 in GoAnywhere Managed File Transfer

By Microsoft Threat Intelligence

Overview

A high-severity deserialization vulnerability (CVE-2025-10035) impacting GoAnywhere Managed File Transfer (MFT) is actively being exploited by Storm-1175—a threat group linked to financially driven attacks and Medusa ransomware deployment. Exploitation of this flaw could allow remote code execution (RCE) via the MFT License Servlet.

Vulnerability Details

  • CVE: CVE-2025-10035
  • Impact: Arbitrary deserialization leading to command injection and potential RCE.
  • Affected Versions: GoAnywhere MFT Admin Console up to version 7.8.3.
  • Attack scenario: Attackers craft a forged license response signature, bypassing verification, to trigger deserialization of malicious objects. No authentication is required if the attacker has or can intercept a valid license response.

Attack Chain by Storm-1175

  • Initial Access: Zero-day exploitation of the GoAnywhere MFT deserialization flaw.
  • Persistence: Dropping Remote Monitoring & Management (RMM) tools such as SimpleHelp and MeshAgent directly under the MFT process; creation of malicious .jsp files in MFT directories.
  • Discovery and Movement:
    • Execution of user and system discovery commands
    • Network scanning with tools like netscan
    • Lateral movement using mstsc.exe (Remote Desktop)
  • Command and Control:
    • RMM tools and a Cloudflare tunnel for secure C2
  • Exfiltration: Use of Rclone for data extraction
  • Ransomware Deployment: Medusa ransomware execution observed in some victim environments

Mitigation and Protection Guidance

  • Upgrade to the latest version of GoAnywhere MFT as per Fortra’s official instructions. Investigate for historical compromise, as upgrades do not remove persistence from prior exploitation.
  • Perimeter Defense: Employ solutions like Microsoft Defender External Attack Surface Management (EASM) to map vulnerable services. Restrict arbitrary outbound connectivity from servers.
  • EDR & AV Recommendations:

Microsoft Defender Detections

  • Defender for Endpoint
    • Alerts for exploitation attempts, remote access software deployment, suspicious file/service activity, lateral movement, and ransomware presence
  • Defender Vulnerability Management: Identification of at-risk devices for CVE-2025-10035
  • Defender XDR & Experts for XDR: Centralized detection, response, and proactive notification of post-exploitation activity
  • Defender Copilot: Security Copilot can be used to investigate incidents, automate threat hunting, and utilize relevant promptbooks for incident response

Hunting Queries & Threat Intelligence

  • Sample Queries in Microsoft Defender XDR:

    • Identify vulnerable devices:

      DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-10035")
| summarize by DeviceName, CveId
    • Identify exploitation attempts with powershell/cmd.exe in the context of GoAnywhere MFT
    • Find observed attacker tool hashes in file/process event tables
  • Indicators of Compromise (IoCs):
    • File Hashes (SimpleHelp, MeshAgent):
      • 4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220
      • c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3
      • cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3
      • 5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19
    • C2 Infrastructure IPs:
      • 31[.]220[.]45[.]120
      • 45[.]11[.]183[.]123
      • 213[.]183[.]63[.]41
  • Ransomware Detection: Defender AV detects Medusa as Ransom:Win32/Medusa

Additional Resources

Community and Support

Stay vigilant and keep your security controls current to defend against this evolving threat landscape.

This post appeared first on “Microsoft Security Blog”. Read the entire article here