A recently patched vulnerability in Fortra GoAnywhere MFT (Managed File Transfer) was exploited as a zero-day by a Chinese ransomware group, Microsoft reports.
The flaw, tracked as CVE-2025-10035 (CVSS score of 10/10), was disclosed on September 18, when Fortra rolled out patches for it. A deserialization issue in the application’s license servlet, the bug can be exploited for command injection and remote code execution (RCE).
Shortly after public disclosure, cybersecurity firm watchTowr warned that the security defect had been exploited as a zero-day since at least September 10, without authentication, to create backdoor administrator accounts and access the MFT service.
Now, Microsoft says Storm-1175, a financially-motivated hacking group operating out of China and known for using the Medusa ransomware in attacks, has been exploiting the vulnerability since September 11.
The ransomware gang was seen targeting internet-facing GoAnywhere MFT instances with forged license response signatures to achieve RCE.
The attackers deployed the SimpleHelp and MeshAgent remote monitoring and management (RMM) tools under the GoAnywhere MFT process, and created a .jsp file within the application’s directory.
Next, the threat actor performed user, system, and network discovery, followed by lateral movement using mstsc.exe. Storm-1175 also set up a Cloudflare tunnel for command-and-control (C&C) communication.
In at least one compromised environment, the hackers used the Rclone command-line tool for data exfiltration. The group deployed the Medusa ransomware on at least one compromised network.
Nearly three weeks after rolling out patches, two weeks since zero-day exploitation was flagged, and one week since the US cybersecurity agency CISA added the CVE to its KEV list, Fortra has not updated its advisory to warn of the bug’s exploitation.
This, watchTowr CEO Benjamin Harris pointed out in an emailed comment, should change, especially with Microsoft confirming previously found evidence of zero-day attacks.
“Microsoft’s confirmation now paints a pretty unpleasant picture — exploitation, attribution, and a month-long head start for the attackers. What’s still missing are the answers only Fortra can provide. How did threat actors get the private keys needed to exploit this? Why were organizations left in the dark for so long?,” Harris said.
Technical analysis from watchTowr and Rapid7 revealed that successful exploitation of the CVE depends on the attackers having access to a ‘serverkey1’ private key that is required to forge the license response signature.
Neither company could locate the key, speculating that it might have been leaked, or that the attackers might have tricked the license server into signing a malicious signature, or they might have gained access to the key by unknown means.
Related: Microsoft and Steam Take Action as Unity Vulnerability Puts Games at Risk
Related: Chinese APT ‘Phantom Taurus’ Targeting Organizations With Net-Star Malware
Related: Akira Ransomware’s Exploitation of SonicWall Vulnerability Continues
Related: European Airport Disruptions Caused by Ransomware Attack
