GoAnywhere MFT Zero-Day Exploited by Storm-1175 in Medusa Ransomware Campaign

A critical zero-day vulnerability in Fortra’s GoAnywhere Managed File Transfer platform came under active exploitation by the threat group tracked as Storm-1175, marking one of the most significant enterprise security incidents of September 2025. Microsoft confirmed that the group, operating as a Medusa ransomware affiliate, leveraged the flaw to breach target networks, establish persistent access, and deploy file-encrypting payloads across compromised environments.

The Threat Landscape

The vulnerability, designated CVE-2025-10035, carries a maximum severity rating and represents a deserialization flaw in the License Servlet of GoAnywhere MFT. The bug allows an attacker with a forged license response signature to deserialize an arbitrary object, potentially leading to remote code execution. Most critically, exploitation requires no user interaction whatsoever — an attacker with network access to the GoAnywhere service can trigger the vulnerability remotely.

WatchTowr Labs first confirmed active exploitation dating back to at least September 10, 2025, a full eight days before Fortra published its public advisory on September 18. Microsoft independently corroborated the timeline, observing Storm-1175 activity matching the group’s established tactics, techniques, and procedures beginning September 11. The gap between initial exploitation and vendor disclosure highlights a persistent challenge in enterprise security: defenders often operate with incomplete threat intelligence while attackers move quickly to exploit newly discovered weaknesses.

For cryptocurrency businesses and exchanges that rely on managed file transfer solutions for secure data movement, this vulnerability presents a particularly acute risk. Attackers who establish footholds in file transfer infrastructure gain access to the data backbone connecting trading systems, compliance workflows, and customer records.

Core Principles

Understanding the GoAnywhere exploit requires grasping the fundamentals of deserialization vulnerabilities. When software receives data from an external source, it must convert that data from a serialized format back into usable objects. If the deserialization process fails to properly validate incoming data, an attacker can craft a malicious payload that executes arbitrary code when the application attempts to reconstruct the object.

In this case, the License Servlet handles license validation responses. By forging a response with a specially crafted signature and embedded malicious object, attackers bypassed the intended license verification flow and injected their own commands into the GoAnywhere process. The maximum severity rating reflects both the ease of exploitation and the complete lack of authentication required — any network-reachable GoAnywhere instance was vulnerable.

The attack chain followed a well-established playbook for ransomware operators: initial access through the zero-day, followed by lateral movement using legitimate remote management tools, data exfiltration, and finally ransomware deployment.

Tooling and Setup

Storm-1175 demonstrated a sophisticated multi-stage approach after gaining initial access. For persistence, the group abused legitimate remote monitoring and management tools including SimpleHelp and MeshAgent, blending their command-and-control traffic with normal IT operations. The actors also deployed Netscan for network reconnaissance, mapping the compromised environment to identify high-value targets.

Lateral movement was accomplished through Microsoft Terminal Services client (mstsc.exe), allowing attackers to pivot between systems using stolen credentials. For data exfiltration, the group deployed Rclone, an open-source file synchronization tool that can stream data to cloud storage providers — effectively turning a legitimate utility into a data theft weapon. The attackers even established a Cloudflare tunnel for secure and encrypted command-and-control communications, making their traffic difficult to distinguish from normal HTTPS connections.

The final stage saw the deployment of Medusa ransomware across the compromised environment, encrypting files and demanding payment for decryption keys. Microsoft confirmed that at least one victim environment experienced complete ransomware deployment.

Ongoing Vigilance

Microsoft’s advisory recommends a comprehensive set of defensive measures. Organizations should update GoAnywhere MFT immediately per Fortra’s guidance, using tools like Defender External Attack Surface Management to locate unpatched instances. Servers should be restricted from making arbitrary outbound internet connections, limiting the effectiveness of tools like Rclone and Cloudflare tunnels.

Additional recommendations include enabling Endpoint Detection and Response in block mode, activating full automated investigation and remediation capabilities, turning on antivirus block mode for cloud-based protection, and applying attack surface reduction rules to block suspicious executable launches, ransomware activity patterns, and web shell creation.

Final Takeaway

The GoAnywhere MFT zero-day exploitation by Storm-1175 serves as a stark reminder that enterprise infrastructure components — not just endpoints or web applications — are prime targets for sophisticated threat actors. Managed file transfer platforms sit at the intersection of internal networks and external data flows, making them ideal pivot points for ransomware operators. With Bitcoin trading above $115,000 and the broader crypto market capitalization exceeding $3.6 trillion, cryptocurrency businesses face an elevated threat landscape where a single unpatched vulnerability can cascade into a catastrophic breach. The eight-day gap between first exploitation and vendor disclosure underscores why organizations cannot rely solely on vendor patches — proactive monitoring, network segmentation, and defense-in-depth strategies are essential.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified security professionals regarding your specific infrastructure needs.