Microsoft Threat Intelligence has attributed active exploitation of a critical deserialization bug in Fortra’s GoAnywhere Managed File Transfer (MFT) to a cybercriminal affiliate it tracks as Storm-1175, tying the flaw to subsequent Medusa ransomware deployments. The vulnerability, CVE-2025-10035 (CVSS 10.0), exists in the License Servlet and allows an attacker who can supply a validly forged license response signature to deserialize an arbitrary, actor-controlled object, a condition that can lead to command injection and potential remote code execution on internet-exposed instances. Fortra released fixes in GoAnywhere 7.8.4 (and Sustain Release 7.6.3) on 18 September 2025, but telemetry indicates exploitation activity began at least on 10–11 September 2025.
Microsoft’s analysis describes a multi-stage intrusion: the initial deserialization exploit is followed by deposition of remote monitoring and management (RMM) binaries (SimpleHelp, MeshAgent) and the creation of .jsp artifacts under GoAnywhere directories to maintain persistence, network and system discovery using reconnaissance tools, lateral movement via mstsc.exe, exfiltration (observed use of Rclone), and ultimately ransomware encryption with Medusa. Microsoft notes the group used Cloudflare tunnels for C2 in observed incidents. Shadowserver reports more than 500 internet-exposed GoAnywhere instances remain visible, though patch status varies.
Defensive guidance echoes Fortra and Microsoft priorities: patch immediately to the versions noted above, review logs for SignedObject.getObject stack-trace errors, run EDR in block mode and enable automated investigation/remediation, apply attack-surface and attack-reduction rules, and restrict server outbound internet access to inhibit downloads and C2. Microsoft also published Defender hunting queries and detection coverage for initial access, persistence, discovery, C2 and exfiltration.
Indicators of Compromise
Known IoCs (for defensive use):
File SHA-256 (observed RMM tools)
* 4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220 (MeshAgent)
* c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3 (SimpleHelp)
* cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3 (SimpleHelp)
* 5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19 (SimpleHelp)
Network IPs (associated with SimpleHelp infrastructure) ,
31[.]220[.]45[.]120, 45[.]11[.]183[.]123, 213[.]183[.]63[.]41.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
