Threat Advisories:
Storm-1175’s Masterstroke Exploits CVE-2025-10035 in GoAnywhere MFT F5 BIG-IP Breach: Nation-State Hackers Expose Source Code and Undisclosed Flaws Microsoft’s October 2025 Patch Tuesday TA585 Leverages ClickFix Technique and MonsterV2 Malware Astaroth Targets Brazil Using GitHub Infrastructure CVE-2025-11371: Unpatched Gladinet Flaw Actively Exploited in the Wild Stealit’s New Trick: Packing Malware Inside Node.js Single Executables Hidden in Plain Sight: The Abuse of Nezha and the Ghost RAT That Followed UTA0388: AI-Powered Targeted Operations Leveraging GOVERSHELL Zimbra Zero-Day Hidden in “Harmless” ICS File Targets Military Service Finder Plugin Flaw Opens Door to Full Site Compromise Redis Under Siege: RediShell Flaw Opens Door to Remote Code Execution CVE-2025-61882: Oracle EBS Zero-Day Actively Exploited in the Wild Water Saci: Brazil’s WhatsApp-Borne Malware Storm Confucius Hackers Spy on Critical Sectors Using AnonDoor FunkLocker: Emerging AI-Assisted Ransomware Olymp Loader: Modular Malware Built for Rapid Exploitation VMware Aria and Tools Vulnerabilities Fixed Amid Ongoing Exploitation DarkCloud Rising: Spear-Phishing Campaign Targets Manufacturing Sector Active Zero-Day Exploitation on Cisco ASA and FTD Devices
Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
0:00
0:00
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Storm-1175’s Masterstroke Exploits CVE-2025-10035 in GoAnywhere MFT

Red | Vulnerability Report
Download PDF

Storm-1175 Exploits GoAnywhere MFT Zero-Day (CVE-2025-10035) to Deploy Medusa Ransomware

Summary

A critical deserialization vulnerability (CVE-2025-10035) in Fortra’s GoAnywhere Managed File Transfer (MFT) has been actively exploited by the Storm-1175 threat actor group since September 2025. The flaw affects GoAnywhere MFT Admin Console versions up to 7.8.3 and allows attackers to bypass license-signature verification, inject malicious objects, and achieve remote code execution (RCE), resulting in complete system compromise.

The campaign culminated in the deployment of Medusa ransomware within multiple enterprise environments. The exploitation chain involved deserialization of untrusted data, abuse of remote monitoring tools, and data exfiltration using Rclone, highlighting Storm-1175’s operational sophistication and focus on financially motivated attacks.

Vulnerability Details

CVE-2025-10035 resides in the License Servlet of GoAnywhere MFT, enabling attackers to craft forged license-response signatures that bypass signature validation. This triggers unsafe deserialization, allowing the injection and execution of arbitrary commands on vulnerable systems.

  • Affected Versions: GoAnywhere MFT Admin Console ≤ 7.8.3
  • Impact: Full remote code execution (RCE) via crafted license responses
  • CWE IDs: CWE-77 (Command Injection), CWE-502 (Deserialization of Untrusted Data)
  • CPE: cpe:2.3:a:fortra:goanywhere_managed_file_transfer::::::::

Exploitation Timeline

  • September 11, 2025: Suspicious activity detected; Fortra initiates investigation.
  • September 12, 2025: Zero-day confirmed under active exploitation.
  • September 15, 2025: Added to CISA KEV catalog.
  • September 17, 2025: Patches under development.
  • October 6, 2025: Official fixes released via versions 7.6.3 and 7.8.4; all MFTaaS instances upgraded.

Exploitation Chain

Storm-1175 gained initial access through the deserialization flaw, followed by persistence and lateral movement via SimpleHelp and MeshAgent RMM tools hidden beneath MFT processes. The attackers dropped .jsp web shells within GoAnywhere directories, enabling remote command execution.

Post-Compromise Activities:

  • Discovery: Enumerated systems and network architecture using netscan.
  • Lateral Movement: Utilized mstsc.exe for internal traversal.
  • Command & Control: Established a Cloudflare tunnel to evade detection.
  • Exfiltration: Used Rclone for data theft prior to Medusa ransomware deployment.

This campaign mirrors prior Cl0p ransomware operations from 2023 that abused CVE-2023-0669 in GoAnywhere MFT, indicating continued targeting of file transfer software ecosystems.

Recommendations

  • Upgrade Immediately: Patch all instances of GoAnywhere MFT to the latest secure versions — v7.8.4 (current release) or v7.6.3 (sustain release). Ensure all MFTaaS instances are verified as updated.
  • Restrict Admin Console Exposure: Remove GoAnywhere Admin Console from the public internet. Limit access to internal networks or enforce VPN-only connections to reduce the attack surface.
  • Monitor Audit Logs: Review logs under userdata/logs/ for suspicious entries such as SignedObject.getObject or license parsing errors, potential indicators of deserialization exploitation.
  • Enhance Network Segmentation: Isolate MFT servers from sensitive data stores and restrict outbound connections to prevent data exfiltration.
  • Implement Security Hardening: Use application firewalls, proxy controls, and endpoint monitoring to detect exploitation attempts and unauthorized RMM tool installations.

Indicators of Compromise (IoCs)

SHA256 Hashes:

  • 4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220
  • c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3
  • cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3
  • 5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19

IPv4 Addresses:

  • 31[.]220[.]45[.]120
  • 45[.]11[.]183[.]123

  • 213[.]183[.]63[.]41

MITRE ATT&CK TTPs

TacticTechniqueID
Initial AccessExploit Public-Facing ApplicationT1190
ExecutionCommand and Scripting InterpreterT1059
PersistenceWeb ShellT1505.003
Privilege EscalationValid AccountsT1078
Defense EvasionExternal Remote ServicesT1133
DiscoverySystem & Network Service DiscoveryT1082, T1046
Lateral MovementRemote Desktop Protocol (RDP)T1021.001
ExfiltrationExfiltration to Cloud Storage, Exfiltration Over C2 ChannelT1567.002, T1041
ImpactData Encrypted for ImpactT1486
Command & ControlProxy CommunicationT1090
Resource DevelopmentObtain Capabilities – VulnerabilitiesT1588.006

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox