Microsoft has linked the threat actor Storm-1175 to the exploitation of a critical vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) software, identified as CVE-2025-10035. This vulnerability is a critical deserialization bug with a CVSS score of 10.0, allowing unauthenticated attackers to inject commands and execute arbitrary code remotely. The flaw arises from the ability to deserialize attacker-controlled objects via a forged license response signature, bypassing authentication mechanisms. Since at least September 2025, Storm-1175 has exploited this vulnerability to gain initial access to victim networks. Following exploitation, attackers deploy remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent to establish persistence. They also create .jsp files within GoAnywhere directories to facilitate further control. The attackers conduct extensive system and network reconnaissance, then use Windows Remote Desktop Protocol (mstsc.exe) for lateral movement. Command-and-control communications are maintained through Cloudflare tunnels, and data exfiltration has been observed using tools like Rclone. The attack culminates in the deployment of Medusa ransomware, encrypting victim data and demanding ransom. Despite the availability of patches in versions 7.8.4 and Sustain Release 7.6.3, many organizations remain vulnerable due to delayed patching and lack of transparency from the vendor. The attack chain demonstrates advanced tactics, techniques, and procedures (TTPs) that enable stealthy and persistent intrusions, posing a severe risk to affected environments.

For European organizations, the exploitation of CVE-2025-10035 presents a critical threat to confidentiality, integrity, and availability of data and systems. GoAnywhere MFT is widely used in sectors requiring secure file transfers, including finance, healthcare, manufacturing, and government, all of which are prevalent across Europe. Successful exploitation can lead to unauthorized access to sensitive data, prolonged undetected presence within networks, lateral movement across critical infrastructure, and eventual ransomware deployment causing operational disruption and financial loss. The use of sophisticated RMM tools and cloud-based C2 channels complicates detection and response efforts. Data exfiltration risks regulatory non-compliance under GDPR, potentially resulting in heavy fines and reputational damage. The ongoing active exploitation since September 2025 means many organizations may already be compromised or at imminent risk, emphasizing the urgency for European entities to act swiftly. The threat also raises concerns about supply chain security and vendor transparency, as delayed disclosure and patching exacerbate exposure.

European organizations should immediately verify their GoAnywhere MFT version and apply the security patches available in version 7.8.4 or Sustain Release 7.6.3 without delay. Conduct thorough network and endpoint detection for indicators of compromise such as the presence of unauthorized .jsp files in GoAnywhere directories and deployment of RMM tools like SimpleHelp and MeshAgent. Monitor network traffic for unusual Cloudflare tunnel activity and use of Rclone or similar data exfiltration tools. Implement strict network segmentation to limit lateral movement, especially restricting RDP (mstsc.exe) usage to authorized systems only. Employ multi-factor authentication and robust logging on all remote access points. Enhance threat hunting capabilities focusing on deserialization attack patterns and anomalous command execution. Engage in vendor communication to demand transparency regarding private key exposure and vulnerability details. Regularly update incident response plans to address ransomware scenarios and ensure backups are isolated and tested for integrity. Consider deploying application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block deserialization attacks. Finally, raise user awareness about phishing and social engineering tactics that may be used in conjunction with this exploit.