CVE-2025-10035 is a critical security vulnerability discovered in the License Servlet component of GoAnywhere Managed File Transfer (MFT) software, versions 7.6.x through 7.8.x. The flaw is a deserialization vulnerability that allows unauthenticated remote command injection, meaning attackers can execute arbitrary commands on the affected system without needing credentials or user interaction. The vulnerability was actively exploited starting September 11, 2025, as revealed by Fortra following a customer report of suspicious activity. The exploitation involves threat actors, tracked by Microsoft as Storm-1175, deploying Medusa ransomware post-compromise. The attack vector requires the GoAnywhere admin console to be exposed to the public internet, which is not the default configuration but can occur due to misconfiguration. Fortra responded rapidly by notifying affected customers, law enforcement, and releasing hotfixes within one day, followed by full patched versions shortly after. The vulnerability's exploitation demonstrates that attackers circumvented cryptographic protections, possibly by obtaining private keys, though the exact method remains unclear. The impact is severe as it allows full system compromise, ransomware deployment, and potential data exfiltration. Fortra recommends restricting admin console access to trusted networks, enabling continuous monitoring for suspicious activity, and maintaining up-to-date software versions. The vulnerability does not affect other GoAnywhere web components, limiting the attack surface but still posing a significant risk to exposed installations.

European organizations using GoAnywhere MFT with publicly accessible admin consoles face critical risks including ransomware infection, operational disruption, data loss, and potential regulatory penalties under GDPR due to data breaches. The ability for unauthenticated attackers to execute arbitrary commands can lead to full system compromise, lateral movement within networks, and deployment of ransomware like Medusa, which can encrypt critical files and demand ransom payments. This can severely impact business continuity, especially for organizations relying on GoAnywhere MFT for secure file transfers in sectors such as finance, healthcare, manufacturing, and government. The exposure of admin consoles to the internet increases the attack surface, making organizations vulnerable to automated scanning and exploitation. Additionally, the confirmed unauthorized activity indicates active threat actor campaigns targeting this vulnerability, increasing the likelihood of successful attacks. The incident also highlights the importance of secure configuration and rapid patch management in mitigating risks. Failure to address this vulnerability promptly could lead to significant financial losses, reputational damage, and legal consequences for European entities.

1. Immediately restrict access to the GoAnywhere admin console by implementing network-level controls such as VPNs, IP whitelisting, or firewall rules to prevent public internet exposure. 2. Apply the official Fortra hotfixes or full patched versions (7.6.3, 7.8.4, or later) without delay to remediate the vulnerability. 3. Enable comprehensive logging and continuous monitoring of GoAnywhere MFT activity to detect suspicious behavior indicative of exploitation attempts. 4. Conduct thorough audits of existing GoAnywhere deployments to identify any instances where the admin console is exposed externally and remediate accordingly. 5. Implement multi-factor authentication (MFA) for administrative access where possible to add an additional security layer. 6. Regularly review and update cryptographic keys and secrets associated with GoAnywhere to reduce the risk of key compromise. 7. Educate IT and security teams on the specific risks of deserialization vulnerabilities and the importance of secure software configuration. 8. Develop and test incident response plans specifically addressing ransomware scenarios linked to this vulnerability. 9. Collaborate with threat intelligence providers to stay informed about ongoing exploitation trends and indicators of compromise related to CVE-2025-10035. 10. Consider network segmentation to limit the impact of any potential compromise of the MFT server.