Microsoft Critical GoAnywhere bug exploited in ransomware attacks

Tracked as CVE-2025-10035, this security flaw impacts Fortra’s web-based secure transfer GoAnywhere MFT tool, caused by a deserialization of untrusted data weakness in the License Servlet. This vulnerability can be exploited remotely in low-complexity attacks that don’t require user interaction.

Microsoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175. For initial access, the threat actor exploited the then-zero-day deserialization vulnerability in GoAnywhere MFT. To maintain persistence, they abused remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent.

In the next stage of the attack, the ransomware affiliate launched the RMM binaries, utilized Netscan for network reconnaissance, executed commands for user and system discovery, and moved laterally through the compromised network to multiple systems using the Microsoft Remote Desktop Connection client (mtsc.exe).

During the attack, they also deployed Rclone in at least one victim’s environment to exfiltrate stolen files and deployed Medusa ransomware payloads to encrypt victims’ files.

To read the complete article see:

https://www.bleepingcomputer.com/news/security/microsoft-critical-goanywhere-bug-exploited-in-ransomware-attacks/