How Attackers Exploit the CVE-2025-10035 GoAnywhere MFT Vulnerability and How to Defend Against It

Cybersecurity threats are relentless, and the swift exploitation of the CVE-2025-10035 vulnerability in GoAnywhere Managed File Transfer (MFT) is a prime example. When vulnerabilities like this critical deserialization flaw are disclosed, attackers waste no time leveraging them for malicious gain. Organizations using vulnerable GoAnywhere MFT deployments face urgent risks as cybercriminals weaponize the flaw to bypass verification mechanisms and run unauthorized code.

What Makes CVE-2025-10035 So Dangerous?

This vulnerability targets the GoAnywhere MFT License Servlet Admin Console, impacting all versions up to 7.8.3. By forging a license response signature, attackers can deserialize harmful objects without needing authentication. This opens the door to command injection and remote code execution, making any internet-facing instance a high-value target.

Once inside, threat actors can explore system settings, establish ongoing access, and introduce tools for broader attacks within the organization. The speed at which attackers operate after vulnerability disclosure highlights the need for rapid patching and vigilant monitoring, as emphasized by security experts.

Storm-1175’s Attack Tactics

Microsoft has identified Storm-1175, a sophisticated cybercriminal group, actively exploiting this vulnerability. Known for deploying Medusa ransomware, Storm-1175 has executed multi-stage attacks that begin with exploiting the deserialization flaw and progress through several advanced techniques.

• Initial Access: Attackers exploit the CVE-2025-10035 vulnerability, often as a zero-day, to gain entry.
  
  
• Persistence: Remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent are deployed, with suspicious .jsp files created to maintain access.
  
  
• Discovery: System and network reconnaissance is conducted using various commands and tools, including netscan.
  
  
• Lateral Movement: Attackers move through the network using legitimate tools like mstsc.exe.
  
  
• Command and Control: RMM tools and Cloudflare tunnels are used to establish remote control and secure attacker communications.
  
  
• Exfiltration and Impact: Rclone is deployed for data theft, followed by the execution of Medusa ransomware to encrypt compromised systems.

How to Mitigate and Protect Your Organization

Immediate action is critical in the face of this threat. Microsoft and Fortra recommend the following layered defense strategies:

• Upgrade GoAnywhere MFT to the latest version as soon as possible. Remember, patching doesn’t address prior compromise, thorough investigation is required.
  
  
• Use attack surface management tools such as Microsoft Defender External Attack Surface Management to find and secure unpatched instances.
  
  
• Restrict server internet access at the firewall and proxy levels to limit exposure.
  
  
• Enable endpoint detection and response (EDR) in block mode for comprehensive threat remediation.
  
  
• Turn on automated investigation and remediation to streamline incident response and reduce dwell time.
  
  
• Implement attack surface reduction rules in Microsoft Defender to block common ransomware and web shell techniques.

Combining these proactive measures with vigilant monitoring can dramatically improve your organization’s resilience to sophisticated attacks.

Microsoft Defender’s Proactive Security Response

Microsoft Defender has introduced rapid detection and protection updates in response to this vulnerability. Vulnerability management identifies at-risk devices, while Defender for Endpoint and XDR solutions provide alerts at every stage from initial intrusion to ransomware deployment. Security teams can use built-in hunting queries and threat analytics reports to stay ahead of emerging threats and investigate incidents more effectively.

Integration with Security Copilot and real-time threat intelligence ensures that defenders have actionable insights at their fingertips, enabling faster and more informed responses to evolving attacker tactics.

Staying Ahead: Indicators of Compromise and Threat Hunting

Microsoft has released specific file and network indicators associated with Storm-1175’s toolset, empowering security professionals to detect both active and historical exploitation attempts. Recommended Kusto Query Language (KQL) queries provide a powerful means to search for suspicious activity, ensuring that organizations can uncover hidden threats and take decisive action.

The Value of Vigilance and Defense in Depth

The rapid exploitation of CVE-2025-10035 serves as a powerful reminder of the importance of immediate patching, layered security, and real-time monitoring. Organizations must not only update vulnerable GoAnywhere MFT installations but also assess their overall security posture and readiness to detect and respond to multi-stage cyberattacks. Leveraging advanced tools and maintaining a proactive security stance are essential steps in defending against sophisticated adversaries like Storm-1175.

Source: Microsoft Security Blog