Storm-1175 exploits GoAnywhere MFT flaw CVE-2025-10035 in Medusa attacks, allowing easy remote code execution via License Servlet bug.
A cybercrime group, tracked as Storm-1175, has been actively exploiting a maximum severity GoAnywhere MFT vulnerability (CVE-2025-10035) in Medusa ransomware attacks for nearly a month.
The vulnerability CVE-2025-10035 is a deserialization issue in the License Servlet of Fortra’s GoAnywhere MFT that allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
Attackers can easily exploit the vulnerability remotely without any user interaction. Fortra addressed this issue on September 18.
Researchers at WatchTowr Labs first confirmed that the flaw has been actively exploited in attacks in the wild since at least September 10, 2025.
“Since Part 1, we have been given credible evidence of in-the-wild exploitation of Fortra GoAnywhere CVE-2025-10035 dating back to September 10, 2025. That is eight days before Fortra’s public advisory, published September 18, 2025. This explains why Fortra later decided to publish limited IOCs, and we’re now urging defenders to immediately change how they think about timelines and risk.” reads WatchTowr report.
“An individual sent us evidence of exploitation activity that aligns with the stack traces shown in Fortra’s advisory.”
Microsoft also confirmed active exploitation of the issue, is also reported that Medusa affiliate Storm-1175 has exploited the vulnerability since at least September 11, 2025. Microsoft Defender observed activity matching Storm-1175 TTPs. The actor gained access via the zero-day and maintained persistence by abusing RMM tools such as SimpleHelp, and MeshAgent. Attackers also used Netscan for reconnaissance, and moved laterally with mstsc.exe. According to Microsoft, threat actors exfiltrated data with Rclone and deployed Medusa ransomware.
“For command and control (C2), the threat actor utilized RMM tools to establish their infrastructure and even set up a Cloudflare tunnel for secure C2 communication.” reads the report published by Microsoft. “During the exfiltration stage, the deployment and execution of Rclone was observed in at least one victim environment. Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed.”
Microsoft advises organizations to update GoAnywhere MFT per Fortra’s guidance and use tools like Defender EASM to find unpatched systems, and restrict servers from making arbitrary outbound internet connections. The IT giant recommends enabling EDR in block mode, turning on full automated investigation and remediation, activating antivirus block mode for cloud-based protection, and applying attack surface reduction rules to block suspicious executables, ransomware activity, and web shell creation.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, GoAnywhere MFT)
