- CVE-2025-10035 in Goanywhere MFT is being exploited by the Ransomware Storm-1175 group
- Vulnerability allows remote execution of non -authenticated code; Medusa ransomware was implemented in at least one case
- Patch released on September 18; More than 500 cases remain exposed, which requires immediate updates or mitigation
Microsoft warns that a ransomware group is exploiting a maximum gravity vulnerability found recently in Goanywhere Managed File Transfer (MFT).
Fortra recently said that he discovered and solved a vulnerability of deerialization in the Goanywhere MFT license servlet, a tool that helps companies send and receive files safely.
The fault, tracked as CVE-2025-10035, and awarded the maximum gravity score (10/10-criticism) allows threat actors with a falsified license response firm validly deserialize an arbitrary object controlled by the actor, “which possibly leads to command injection.”
Storm-1175
Shortly after, Watchtowr Labs security researchers reported having found “credible evidence” that the error was being used as zero day, already on September 10. However, at that time, there was no talk of attribution: we did not know who used the error, for what purpose and against which companies.
Now, Microsoft published a new report, pointing to an actor of threats that tracks how Storm-1175.
“Microsoft researchers defend identified exploitation activity in multiple organizations aligned with tactics, techniques and procedures (TTP) attributed to Storm-1175,” Microsoft said in the report. “The related activity was observed on September 11, 2025”.
Microsoft also said that the group used vulnerability to infect their goals with the strain of Medusa Ransomware.
“Finally, in a compromised environment, the successful implementation of the Medusa ransomware was observed,” he concluded.
The vulnerability patch was launched on September 18, but it is safe to assume that not everyone has already been solved. The Shadowserver Foundation says that there are currently more than 500 instances of Goanywhere MFT exposed online, but it is not clear how many of them are paveled.
The best way to protect against attacks is to update to a paveled version, be it the latest version (7.8.4) or Sustain Release 7.6.3.
Those who cannot patch at this time can eliminate Goanywhere from the public internet through the administration console, and those who suspect that they may have been attacked must inspect the record files in search of errors that contain the ‘signedobject.Getobject’ chain.
Through Pitidocomputadora
