Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware
A critical deserialization vulnerability (CVE-2025-10035) in Fortra GoAnywhere MFT software is actively exploited by the cybercriminal group Storm-1175 to deploy Medusa ransomware. The flaw allows unauthenticated command injection and remote code execution by deserializing attacker-controlled objects, enabling initial access without authentication. Exploitation leads to system and user discovery, persistence via remote monitoring and management tools, lateral movement using Windows Remote Desktop, data exfiltration, and eventual ransomware deployment. The vulnerability was patched in GoAnywhere versions 7. 8. 4 and Sustain Release 7. 6. 3, but exploitation has been ongoing since at least September 2025. European organizations using GoAnywhere MFT are at significant risk due to the critical nature of the flaw and the sophisticated attack chain. Immediate patching and enhanced monitoring are essential to mitigate this threat.
AI Analysis
Technical Summary
Microsoft has linked the threat actor Storm-1175 to the exploitation of a critical vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) software, identified as CVE-2025-10035. This vulnerability is a critical deserialization bug with a CVSS score of 10.0, allowing unauthenticated attackers to inject commands and execute arbitrary code remotely. The flaw arises from the ability to deserialize attacker-controlled objects via a forged license response signature, bypassing authentication mechanisms. Since at least September 2025, Storm-1175 has exploited this vulnerability to gain initial access to victim networks. Following exploitation, attackers deploy remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent to establish persistence. They also create .jsp files within GoAnywhere directories to facilitate further control. The attackers conduct extensive system and network reconnaissance, then use Windows Remote Desktop Protocol (mstsc.exe) for lateral movement. Command-and-control communications are maintained through Cloudflare tunnels, and data exfiltration has been observed using tools like Rclone. The attack culminates in the deployment of Medusa ransomware, encrypting victim data and demanding ransom. Despite the availability of patches in versions 7.8.4 and Sustain Release 7.6.3, many organizations remain vulnerable due to delayed patching and lack of transparency from the vendor. The attack chain demonstrates advanced tactics, techniques, and procedures (TTPs) that enable stealthy and persistent intrusions, posing a severe risk to affected environments.
Potential Impact
For European organizations, the exploitation of CVE-2025-10035 presents a critical threat to confidentiality, integrity, and availability of data and systems. GoAnywhere MFT is widely used in sectors requiring secure file transfers, including finance, healthcare, manufacturing, and government, all of which are prevalent across Europe. Successful exploitation can lead to unauthorized access to sensitive data, prolonged undetected presence within networks, lateral movement across critical infrastructure, and eventual ransomware deployment causing operational disruption and financial loss. The use of sophisticated RMM tools and cloud-based C2 channels complicates detection and response efforts. Data exfiltration risks regulatory non-compliance under GDPR, potentially resulting in heavy fines and reputational damage. The ongoing active exploitation since September 2025 means many organizations may already be compromised or at imminent risk, emphasizing the urgency for European entities to act swiftly. The threat also raises concerns about supply chain security and vendor transparency, as delayed disclosure and patching exacerbate exposure.
Mitigation Recommendations
European organizations should immediately verify their GoAnywhere MFT version and apply the security patches available in version 7.8.4 or Sustain Release 7.6.3 without delay. Conduct thorough network and endpoint detection for indicators of compromise such as the presence of unauthorized .jsp files in GoAnywhere directories and deployment of RMM tools like SimpleHelp and MeshAgent. Monitor network traffic for unusual Cloudflare tunnel activity and use of Rclone or similar data exfiltration tools. Implement strict network segmentation to limit lateral movement, especially restricting RDP (mstsc.exe) usage to authorized systems only. Employ multi-factor authentication and robust logging on all remote access points. Enhance threat hunting capabilities focusing on deserialization attack patterns and anomalous command execution. Engage in vendor communication to demand transparency regarding private key exposure and vulnerability details. Regularly update incident response plans to address ransomware scenarios and ensure backups are isolated and tested for integrity. Consider deploying application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block deserialization attacks. Finally, raise user awareness about phishing and social engineering tactics that may be used in conjunction with this exploit.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Belgium, Sweden, Poland, Switzerland
Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware
Description
A critical deserialization vulnerability (CVE-2025-10035) in Fortra GoAnywhere MFT software is actively exploited by the cybercriminal group Storm-1175 to deploy Medusa ransomware. The flaw allows unauthenticated command injection and remote code execution by deserializing attacker-controlled objects, enabling initial access without authentication. Exploitation leads to system and user discovery, persistence via remote monitoring and management tools, lateral movement using Windows Remote Desktop, data exfiltration, and eventual ransomware deployment. The vulnerability was patched in GoAnywhere versions 7. 8. 4 and Sustain Release 7. 6. 3, but exploitation has been ongoing since at least September 2025. European organizations using GoAnywhere MFT are at significant risk due to the critical nature of the flaw and the sophisticated attack chain. Immediate patching and enhanced monitoring are essential to mitigate this threat.
AI-Powered Analysis
Technical Analysis
Microsoft has linked the threat actor Storm-1175 to the exploitation of a critical vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) software, identified as CVE-2025-10035. This vulnerability is a critical deserialization bug with a CVSS score of 10.0, allowing unauthenticated attackers to inject commands and execute arbitrary code remotely. The flaw arises from the ability to deserialize attacker-controlled objects via a forged license response signature, bypassing authentication mechanisms. Since at least September 2025, Storm-1175 has exploited this vulnerability to gain initial access to victim networks. Following exploitation, attackers deploy remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent to establish persistence. They also create .jsp files within GoAnywhere directories to facilitate further control. The attackers conduct extensive system and network reconnaissance, then use Windows Remote Desktop Protocol (mstsc.exe) for lateral movement. Command-and-control communications are maintained through Cloudflare tunnels, and data exfiltration has been observed using tools like Rclone. The attack culminates in the deployment of Medusa ransomware, encrypting victim data and demanding ransom. Despite the availability of patches in versions 7.8.4 and Sustain Release 7.6.3, many organizations remain vulnerable due to delayed patching and lack of transparency from the vendor. The attack chain demonstrates advanced tactics, techniques, and procedures (TTPs) that enable stealthy and persistent intrusions, posing a severe risk to affected environments.
Potential Impact
For European organizations, the exploitation of CVE-2025-10035 presents a critical threat to confidentiality, integrity, and availability of data and systems. GoAnywhere MFT is widely used in sectors requiring secure file transfers, including finance, healthcare, manufacturing, and government, all of which are prevalent across Europe. Successful exploitation can lead to unauthorized access to sensitive data, prolonged undetected presence within networks, lateral movement across critical infrastructure, and eventual ransomware deployment causing operational disruption and financial loss. The use of sophisticated RMM tools and cloud-based C2 channels complicates detection and response efforts. Data exfiltration risks regulatory non-compliance under GDPR, potentially resulting in heavy fines and reputational damage. The ongoing active exploitation since September 2025 means many organizations may already be compromised or at imminent risk, emphasizing the urgency for European entities to act swiftly. The threat also raises concerns about supply chain security and vendor transparency, as delayed disclosure and patching exacerbate exposure.
Mitigation Recommendations
European organizations should immediately verify their GoAnywhere MFT version and apply the security patches available in version 7.8.4 or Sustain Release 7.6.3 without delay. Conduct thorough network and endpoint detection for indicators of compromise such as the presence of unauthorized .jsp files in GoAnywhere directories and deployment of RMM tools like SimpleHelp and MeshAgent. Monitor network traffic for unusual Cloudflare tunnel activity and use of Rclone or similar data exfiltration tools. Implement strict network segmentation to limit lateral movement, especially restricting RDP (mstsc.exe) usage to authorized systems only. Employ multi-factor authentication and robust logging on all remote access points. Enhance threat hunting capabilities focusing on deserialization attack patterns and anomalous command execution. Engage in vendor communication to demand transparency regarding private key exposure and vulnerability details. Regularly update incident response plans to address ransomware scenarios and ensure backups are isolated and tested for integrity. Consider deploying application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block deserialization attacks. Finally, raise user awareness about phishing and social engineering tactics that may be used in conjunction with this exploit.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Article Source
- {"url":"https://thehackernews.com/2025/10/microsoft-links-storm-1175-to.html","fetched":true,"fetchedAt":"2025-10-07T11:50:18.370Z","wordCount":1001}
Threat ID: 68e4fe7ca677756fc98a4e0f
Added to database: 10/7/2025, 11:50:20 AM
Last enriched: 10/7/2025, 11:50:51 AM
Last updated: 10/7/2025, 5:20:54 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Oracle EBS Under Fire as Cl0p Exploits CVE-2025-61882 in Real-World Attacks
CriticalCritical Vulnerability Puts 60,000 Redis Servers at Risk of Exploitation
CriticalCISA: Attackers Breach Federal Agency via Critical GeoServer Flaw
CriticalCISA Sounds Alarm on Critical Sudo Flaw Actively Exploited in Linux and Unix Systems
CriticalThreatsDay Bulletin: CarPlay Exploit, BYOVD Tactics, SQL C2 Attacks, iCloud Backdoor Demand & More
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.