The Fortra GoAnywhere MFT zero-day vulnerability (CVE-2025-10035) is a critical deserialization flaw in the license servlet component of the Managed File Transfer application. This vulnerability allows attackers to perform unauthenticated remote code execution by forging license response signatures, exploiting a private key ('serverkey1') used to sign these responses. The Chinese financially motivated hacking group Storm-1175, known for deploying Medusa ransomware, exploited this flaw starting at least September 10, 2025, prior to the public patch release on September 18. The attackers leveraged the vulnerability to create backdoor administrator accounts, deploy remote monitoring and management tools (SimpleHelp and MeshAgent) under the GoAnywhere process, and upload malicious .jsp files. They conducted extensive reconnaissance, including user, system, and network discovery, followed by lateral movement using mstsc.exe. A Cloudflare tunnel was established for command-and-control communications, and data exfiltration was performed using the Rclone tool. The ransomware was deployed on at least one compromised network. Technical investigations by watchTowr and Rapid7 suggest the private key used for forging signatures was either leaked, obtained through tricking the license server, or accessed by unknown methods. Despite the severity and confirmed exploitation, Fortra has not updated advisories to reflect active attacks, raising concerns about transparency and response. The vulnerability’s CVSS score is 10/10, indicating critical severity. The attack vector requires no authentication and affects internet-facing GoAnywhere MFT instances, making it highly exploitable and dangerous.

European organizations using Fortra GoAnywhere MFT, particularly those with internet-facing deployments, face significant risks including unauthorized system access, data exfiltration, lateral movement within networks, and ransomware infection leading to operational disruption and data loss. The ransomware deployment threatens availability and integrity of critical business data and systems. Confidentiality is compromised through data theft facilitated by tools like Rclone. The attack’s sophistication and use of legitimate remote management tools complicate detection and response. Industries relying heavily on secure file transfers, such as finance, healthcare, manufacturing, and government agencies, are especially vulnerable. The prolonged window between exploitation and patching increases exposure. Additionally, the lack of vendor communication may delay incident response and mitigation efforts. The financial and reputational damage from ransomware attacks can be severe, with potential regulatory consequences under GDPR for data breaches. The threat also underscores supply chain risks, as organizations depending on Fortra’s software must urgently reassess their security posture.

1. Immediate deployment of the official patches released by Fortra on September 18, 2025, is critical to close the vulnerability. 2. Conduct thorough audits of all GoAnywhere MFT instances, focusing on internet-facing servers, to detect signs of compromise such as unauthorized admin accounts, unexpected .jsp files, and presence of RMM tools like SimpleHelp and MeshAgent. 3. Implement network segmentation to isolate MFT servers from critical infrastructure and limit lateral movement opportunities. 4. Monitor network traffic for unusual outbound connections, especially Cloudflare tunnels or other proxy services used for C2 communications. 5. Employ endpoint detection and response (EDR) solutions to identify suspicious processes and lateral movement activities, including mstsc.exe usage outside normal patterns. 6. Rotate and securely manage all cryptographic keys related to license signing and server authentication to prevent further misuse. 7. Enhance logging and alerting on license servlet activities and failed/suspicious license signature validations. 8. Educate incident response teams on the specific tactics, techniques, and procedures (TTPs) used by Storm-1175 to improve detection and containment. 9. Coordinate with threat intelligence sharing groups and national cybersecurity agencies for updated indicators of compromise (IOCs) and mitigation strategies. 10. Review and update incident response and ransomware recovery plans to address this specific threat vector.