TL;DR: A critical vulnerability in GoAnywhere MFT software has been exploited by Storm-1175 cybercriminals to deploy Medusa ransomware. The flaw allows attackers to gain unauthorized access without authentication, affecting organizations across multiple sectors with potentially devastating consequences.
The cybersecurity landscape faced another significant threat when Microsoft revealed that cybercriminals had been actively exploiting a critical vulnerability in Fortra’s GoAnywhere Managed File Transfer platform. This zero-day flaw, tracked as CVE-2025-10035, has become the latest weapon in the arsenal of ransomware operators targeting businesses across multiple industries.
The discovery highlights a troubling pattern where file transfer infrastructure continues to be a prime target for sophisticated threat actors. Organizations that rely on GoAnywhere MFT for secure file transfers found themselves potentially exposed to attackers who had been operating in the shadows since at least 9/10, days before the vendor even discovered the vulnerability.
The Vulnerability and Its Severity
The cybersecurity community was shaken when researchers uncovered a devastating flaw lurking within GoAnywhere MFT’s core functionality. This wasn’t just another routine security issue – it represented a perfect storm of factors that made it extraordinarily dangerous. The vulnerability’s location in the License Servlet Admin Console meant that attackers could target a component that many organizations assumed was secure, turning a trusted tool into a wide-open gateway for cybercriminals.
The flaw carries a maximum CVSS score of 10.0, indicating the highest possible severity rating
It affects GoAnywhere MFT versions up to 7.8.3, impacting thousands of organizations worldwide
The vulnerability exists in the License Servlet Admin Console, allowing remote code execution
No authentication is required once attackers craft a valid payload, making exploitation straightforward
The deserialization flaw enables attackers to inject arbitrary commands into the Java process
This vulnerability represents one of the most serious threats to emerge in recent months, combining ease of exploitation with potentially catastrophic consequences for affected organizations.
How the Attack Works
Understanding the mechanics of this attack reveals why it has proven so effective against even security-conscious organizations. The exploitation process unfolds like a carefully choreographed heist, with each step designed to maximize access while minimizing detection. What makes this attack particularly insidious is how it leverages legitimate functionality and tools, allowing attackers to blend in with normal network activity until it’s too late.
Attackers forge a valid license response signature to bypass security controls
They exploit the unsafe deserialization logic to execute malicious code
Remote monitoring tools like SimpleHelp and MeshAgent are deployed for persistence
Web shells are dropped to maintain backdoor access to compromised systems
PowerShell commands enumerate the network, gathering intelligence on users and systems
Data is exfiltrated using Rclone to cloud storage controlled by attackers
Finally, Medusa ransomware is deployed to encrypt victim files and demand payment
The multi-stage nature of this attack demonstrates the sophistication of modern ransomware operations, where initial access is just the beginning of a carefully orchestrated campaign.
The Threat Actors Behind the Campaign
Storm-1175 isn’t your average group of opportunistic hackers – they represent a new breed of professional cybercriminals who operate with the efficiency of a legitimate business. Their selection of GoAnywhere as a target demonstrates deep knowledge of enterprise infrastructure and an understanding of where organizations are most vulnerable. This group has refined their techniques through repeated campaigns, learning from each attack to become more effective and harder to detect.
Microsoft attributes the attacks to Storm-1175, a financially motivated cybercrime group
The group has a history of exploiting public-facing vulnerabilities for ransomware deployment
They specialize in targeting file transfer and collaboration platforms
Storm-1175 operates as an affiliate of the Medusa ransomware operation
The group has shown increasing activity levels, with a 45% surge in operations in 2025
These cybercriminals represent a persistent and evolving threat to organizations, constantly searching for new vulnerabilities to exploit in their quest for financial gain.
Organizations at Risk
The reach of this vulnerability extends far beyond any single industry or geography, touching virtually every sector that relies on secure file transfers. What makes the situation particularly alarming is that many affected organizations don’t even realize they’re running vulnerable versions of GoAnywhere, having deployed the software years ago and forgotten about it. The common thread among potential victims is their need to move sensitive data securely – ironically, the very purpose that led them to implement GoAnywhere in the first place.
Transportation companies managing logistics and supply chain data
Educational institutions handling sensitive student and research information
Retail businesses processing customer data and payment information
Insurance companies managing policyholder records and claims data
Manufacturing firms protecting intellectual property and operational technology
Any organization using unpatched GoAnywhere MFT versions with internet-exposed admin consoles
Companies that haven’t implemented proper network segmentation or monitoring
The broad range of affected sectors underscores how widely deployed GoAnywhere MFT is across industries, making this vulnerability particularly concerning for the business community.
Critical Remediation Steps
Time is of the essence when addressing this vulnerability, as every hour of delay gives attackers another opportunity to establish a foothold in your network. The remediation process requires more than just applying a patch – it demands a comprehensive approach that addresses both the immediate vulnerability and the possibility that compromise has already occurred. Organizations must balance the urgency of patching with the need to preserve evidence and maintain business operations.
Immediately upgrade to GoAnywhere MFT version 7.8.4 or the updated 7.6.3 sustain release
Configure perimeter firewalls to block unauthorized outbound connections from GoAnywhere servers
Enable Endpoint Detection and Response solutions in blocking mode
Monitor for indicators of compromise including unusual JSP/WAR files and Java process invocations
Conduct forensic analysis to determine if exploitation occurred during the vulnerability window
Implement network segmentation to limit potential lateral movement
Organizations must act swiftly to implement these measures, as the window of exposure has already allowed attackers significant opportunity for compromise.
How CinchOps Can Help
In the face of sophisticated threats like the GoAnywhere vulnerability, businesses need comprehensive cybersecurity solutions that go beyond basic protection. CinchOps provides the expertise and tools necessary to defend against modern ransomware campaigns and zero-day exploits.
24/7 Security Operations Center monitoring to detect and respond to threats in real-time
Vulnerability management programs that identify and prioritize critical patches before exploitation
Incident response services to contain and remediate ransomware attacks quickly
Network segmentation design to limit the impact of successful breaches
Employee security awareness training to strengthen the human firewall
Regular security assessments to identify weaknesses before attackers do
Backup and disaster recovery solutions to ensure business continuity
CinchOps understands that Houston businesses face unique challenges in today’s threat landscape, and our team is dedicated to providing tailored security solutions that protect your critical assets while enabling business growth.
