Microsoft warns critical GoAnywhere security bug is being exploited by ransomware gang, so be on your guard

News
By published

GoAnywhere bug has been patched, so update now

Proactive Cybersecurity Service That Neutralizes Threats Within a Digital Network - Conceptual Illustration
(Image credit: Shutterstock)
  • CVE-2025-10035 in GoAnywhere MFT is being exploited by ransomware group Storm-1175
  • Vulnerability enables unauthenticated remote code execution; Medusa ransomware was deployed in at least one case
  • Patch released September 18; over 500 instances remain exposed, urging immediate upgrades or mitigation

Microsoft is warning that a ransomware group is exploiting a maximum-severity vulnerability recently found in GoAnywhere Managed File Transfer (MFT).

Fortra recently said it discovered and patched a deserialization vulnerability in the License Servlet of GoAnywhere MFT, a tool that helps businesses send and receive files securely.

The flaw, tracked as CVE-2025-10035, and granted the maximum severity score (10/10 - critical) allows threat actors with a validly forged license response signature to deserialize an arbitrary actor-controlled object, “possibly leading to command injection.”

Storm-1175

Soon after, security researchers WatchTowr Labs reported finding “credible evidence” that the bug was being used as a zero-day, as early as September 10. However, at the time, there was no talk of attribution - we didn’t know who used the bug, for what purpose, and against which businesses.

Now, Microsoft released a new report, pointing the finger at a threat actor it tracks as Storm-1175.

“Microsoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175,” Microsoft said in the report. “Related activity was observed on September 11, 2025.”

Microsoft also said the group used the vulnerability to infect its targets with the Medusa ransomware strain.

“Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed,” it concluded.

The patch for the vulnerability was released on September 18, but it’s safe to assume that not all of them have already been fixed. The Shadowserver Foundation says there are currently more than 500 GoAnywhere MFT instances exposed online, but it’s unclear how many of those are patched.

The best way to protect against the attacks is to upgrade to a patched version, either the latest release (7.8.4), or the Sustain Release 7.6.3.

Those who cannot patch at this time can remove GoAnywhere from the public internet through the Admin Console, and those who suspect they may have been targeted should inspect log files for errors containing the string 'SignedObject.getObject,'.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.