{
	"id": "40090628-30cd-41ff-a2b2-232ae1e01c15",
	"created_at": "2026-04-06T00:15:23.613419Z",
	"updated_at": "2026-04-10T03:36:18.940224Z",
	"deleted_at": null,
	"sha1_hash": "f9dfa404bbc4acff4199b02ea56f64d1e790a6de",
	"title": "Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 103247,
	"plain_text": "Investigating active exploitation of CVE-2025-10035 GoAnywhere\r\nManaged File Transfer vulnerability | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2025-10-06 · Archived: 2026-04-05 14:39:54 UTC\r\nOn September 18, 2025, Fortra published a security advisory regarding a critical deserialization vulnerability in\r\nGoAnywhere MFT’s License Servlet, which is tracked as CVE-2025-10035 and has a CVSS score of 10.0. The\r\nvulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary\r\nactor-controlled object, possibly leading to command injection and potential remote code execution (RCE). A\r\ncybercriminal group tracked by Microsoft Threat Intelligence as Storm-1175, known for deploying Medusa\r\nransomware and exploiting public-facing applications for initial access, was observed exploiting the vulnerability.\r\nMicrosoft urges customers to upgrade to the latest version following Fortra’s recommendations.  We are\r\npublishing this blog post to increase awareness of this threat and to share end-to-end protection coverage\r\ndetails across Microsoft Defender, as well as security posture hardening recommendations for customers.\r\nVulnerability analysis \r\nThe vulnerability, tracked as CVE-2025-10035, is a critical deserialization flaw impacting GoAnywhere MFT’s\r\nLicense Servlet Admin Console versions up to 7.8.3. It enables an attacker to bypass signature verification by\r\ncrafting a forged license response signature, which then allows the deserialization of arbitrary, attacker-controlled\r\nobjects.\r\nSuccessful exploitation could result in command injection and potential RCE on the affected system. Public\r\nreports indicate that exploitation does not require authentication if the attacker can craft or intercept valid license\r\nresponses, making this vulnerability particularly dangerous for internet-exposed instances.\r\nThe impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could\r\nperform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement\r\nand malware. Public advisories recommend immediate patching, reviewing license verification mechanisms, and\r\nclosely monitoring for suspicious activity in GoAnywhere MFT environments to mitigate risks associated with\r\nthis vulnerability.\r\nExploitation activity by Storm-1175  \r\nMicrosoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics,\r\ntechniques, and procedures (TTPs) attributed to Storm-1175. Related activity was observed on September 11,\r\n2025.\r\nAn analysis of the threat actor’s TTPs reveals a multi-stage attack. For initial access, the threat actor exploited the\r\nthen-zero-day deserialization vulnerability in GoAnywhere MFT. To maintain persistence, they abused remote\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/\r\nPage 1 of 9\n\nmonitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent. They dropped the RMM\r\nbinaries directly under the GoAnywhere MFT process. In addition to these RMM payloads, the creation of .jsp\r\nfiles within the GoAnywhere MFT directories was observed, often at the same time as the dropped RMM tools.\r\nThe threat actor then executed user and system discovery commands and deployed tools like netscan for network\r\ndiscovery. Lateral movement was achieved using mstsc.exe, allowing the threat actor to move across systems\r\nwithin the compromised network.\r\nFor command and control (C2), the threat actor utilized RMM tools to establish their infrastructure and even set\r\nup a Cloudflare tunnel for secure C2 communication. During the exfiltration stage, the deployment and execution\r\nof Rclone was observed in at least one victim environment. Ultimately, in one compromised environment, the\r\nsuccessful deployment of Medusa ransomware was observed.\r\nMitigation and protection guidance\r\nMicrosoft recommends the following mitigations to reduce the impact of this threat. \r\nUpgrade to the latest version following Fortra’s recommendations. Note that upgrading does not address\r\nprevious exploitation activity, and review of the impacted system may be required. \r\nUse an enterprise attack surface management product, like Microsoft Defender External Attack Surface\r\nManagement (Defender EASM), to discover unpatched systems on your perimeter. \r\nCheck your perimeter firewall and proxy to ensure servers are restricted from accessing the internet for\r\narbitrary connections, like browsing and downloads. Such restrictions help inhibit malware downloads and\r\ncommand-and-control activity. \r\nRun endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can\r\nblock malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when\r\nMicrosoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to\r\nremediate malicious artifacts that are detected post-breach. \r\nEnable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to\r\ntake immediate action on alerts to resolve breaches, significantly reducing alert volume. \r\nTurn on block mode in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover\r\nrapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority\r\nof new and unknown variants. \r\nMicrosoft Defender customers can turn on attack surface reduction rules to prevent common attack\r\ntechniques used in ransomware attacks. Attack surface reduction rules are sweeping settings that are\r\neffective at stopping entire classes of threats: \r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion \r\nUse advanced protection against ransomware \r\nBlock web shell creation for servers\r\nMicrosoft Defender XDR detections\r\nFollowing the release of the vulnerability, the Microsoft Defender Research Team ensured that protections are\r\ndeployed for customers, from ensuring that Microsoft Defender Vulnerability Management correctly identifies and\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/\r\nPage 2 of 9\n\nsurfaces all vulnerable devices in impacted customer environments, to building Microsoft Defender for Endpoint\r\ndetections and alerting along the attack chain.\r\nMicrosoft Defender Vulnerability Management customers can search for this vulnerability in the Defender Portal\r\nor navigate directly to the CVE page to view a detailed list of the exposed devices within their organization.\r\nCustomers of Microsoft Defender Experts for XDR that might have been impacted have also been notified of any\r\npost-exploitation activity and recommended actions.\r\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR\r\ncoordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide\r\nintegrated protection against attacks like the threat discussed in this blog. \r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate\r\nand respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\r\nTactic  Observed activity  Microsoft Defender coverage \r\nInitial\r\naccess \r\nExploitation of GoAnywhere\r\nMFT via deserialization in\r\nLicensing Service\r\nMicrosoft Defender for Endpoint\r\ndetects possible exploitation via the\r\nfollowing alert:\r\n– Possible exploitation of GoAnywhere\r\nMFT vulnerability   \r\nMicrosoft Defender Experts for\r\nXDR can detect possible exploitation via\r\nthe following alerts:\r\n– Possible exploitation of vulnerability in\r\nGoAnywhere Tomcat\r\n– Possible discovery activity following\r\nsuccessful Tomcat vulnerability\r\nexploitation\r\nMicrosoft Defender Vulnerability\r\nManagement (MDVM) surfaces devices\r\nvulnerable to CVE-2025-10035.\r\nMicrosoft Defender External Attack\r\nSurface Management Attack Surface\r\nInsights with the following title can\r\nindicate vulnerable devices on your\r\nnetwork but is not necessarily indicative\r\nof exploitation: \r\n– [Potential] CVE-2025-10035 –\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/\r\nPage 3 of 9\n\nGoAnywhere MFT Command Injection\r\nvia Deserialization in Licensing Service \r\n(Note: An Attack Surface Insight marked\r\nas potential indicates a service is running\r\nbut cannot validate whether that service is\r\nrunning a vulnerable version. Check\r\nresources to verify that they are up to\r\ndate.)\r\nPersistence \r\nDropping and abuse of remote\r\nmonitoring and management\r\n(RMM) tool and suspected web\r\nshell deployment; creation of\r\n.jsp files within the\r\nGoAnywhere MFT directories \r\nMicrosoft Defender for Endpoint\r\ndetects possible signs of the attacker\r\ndeploying persistence mechanisms via the\r\nfollowing alerts:\r\n– Uncommon remote access software \r\n– Remote access software \r\n– Suspicious file dropped and launched \r\n– Suspicious service launched \r\n– Suspicious account creation \r\n– User account created under suspicious\r\ncircumstances \r\n– New local admin added using Net\r\ncommands \r\n– New group added suspiciously \r\n– Suspicious Windows account\r\nmanipulation \r\n– Ransomware-linked threat actor\r\ndetected \r\nDiscovery \r\nUser and system discovery\r\ncommands; deployment of\r\ntools such as netscan for\r\nnetwork discovery\r\nMicrosoft Defender for\r\nEndpoint detects malicious exploration\r\nactivities via the following alerts:\r\n– Suspicious sequence of exploration\r\nactivities\r\n– Anomalous account lookups \r\n– Suspicious Windows account\r\nmanipulation\r\nCommand\r\nand control \r\nUse of RMM tools for\r\nestablishing C2 infrastructure\r\nand setup of Cloudflare tunnel\r\nfor secure C2 communication \r\nMicrosoft Defender for Endpoint\r\ndetects C2 activities observed in this\r\ncampaign via the following alerts:\r\n– Uncommon remote access software \r\n– Remote access software \r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/\r\nPage 4 of 9\n\nExfiltration \r\nRclone deployment and\r\nexecution\r\nMicrosoft Defender for\r\nEndpoint detects exfiltration activities\r\nobserved in this campaign via the\r\nfollowing alert:\r\n– Ransomware-linked threat actor\r\ndetected \r\nActions on\r\nobjectives \r\nDeployment of Medusa\r\nransomware \r\nMicrosoft Defender Antivirus detects the\r\nransomware payload used in this attack as\r\nthe following threat:\r\n– Ransom:Win32/Medusa  \r\nMicrosoft Defender for\r\nEndpoint detects the ransomware payload\r\nvia the following alerts:\r\n– Ransomware-linked threat actor\r\ndetected \r\nMicrosoft Security Copilot\r\nSecurity Copilot customers can use the standalone experience to create their own prompts or run the following\r\nprebuilt promptbooks to automate incident response or investigation tasks related to this threat:\r\nIncident investigation\r\nMicrosoft User analysis\r\nThreat actor profile\r\nThreat Intelligence 360 report based on MDTI article\r\nVulnerability impact assessment\r\nNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or\r\nMicrosoft Sentinel.\r\nThreat intelligence reports\r\nMicrosoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires\r\nlicense for at least one Defender XDR product) to get the most up-to-date information about the threat actor,\r\nmalicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection\r\ninformation, and recommended actions to prevent, mitigate, or respond to associated threats found in customer\r\nenvironments.\r\nMicrosoft Defender XDR threat analytics\r\nVulnerability profile: CVE-2025-10035 – GoAnywhere Managed File Transfer\r\nActor profile: Storm-1175\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/\r\nPage 5 of 9\n\nMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft\r\nDefender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the\r\nMicrosoft Defender portal to get more information about this threat actor.\r\nHunting queries\r\nMicrosoft Defender XDR\r\nMicrosoft Defender XDR customers can run the following query to find related activity in their networks:\r\nVulnerable devices\r\nFind devices affected by the CVE-2025-10035 vulnerability.\r\nDeviceTvmSoftwareVulnerabilities\r\n| where CveId in (\"CVE-2025-10035\")\r\n| summarize by DeviceName, CveId\r\nPossible GoAnywhere MFT exploitation\r\nLook for suspicious PowerShell commands indicative of GoAnywhere MFT exploitation. These commands are\r\nalso detected with the Defender for Endpoint alert Possible exploitation of GoAnywhere MFT vulnerability. \r\nDeviceProcessEvents\r\n| where InitiatingProcessFolderPath contains @\"\\GoAnywhere\\\"\r\n| where InitiatingProcessFileName contains \"tomcat\"\r\n| where InitiatingProcessCommandLine endswith \"//RS//GoAnywhere\"\r\n| where FileName == \"powershell.exe\"\r\n| where ProcessCommandLine has_any (\"whoami\", \"systeminfo\", \"net user\", \"net group\", \"localgroup\r\nadministrators\", \"nltest /trusted_domains\", \"dsquery\", \"samaccountname=\", \"query session\",\r\n\"adscredentials\", \"o365accountconfiguration\", \"Invoke-Expression\", \"DownloadString\", \"DownloadFile\",\r\n\"FromBase64String\", \"System.IO.Compression\", \"System.IO.MemoryStream\", \"iex \", \"iex(\", \"Invoke-WebRequest\", \"set-MpPreference\", \"add-MpPreference\", \"certutil\", \"bitsadmin\")\r\nLook for suspicious cmd.exe commands launched after possible GoAnywhere MFT exploitation. These\r\ncommands are also detected with the Defender for Endpoint alert Possible exploitation of GoAnywhere MFT\r\nvulnerability. \r\nDeviceProcessEvents\r\n| where InitiatingProcessFolderPath contains @\"\\GoAnywhere\\\"\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/\r\nPage 6 of 9\n\n| where InitiatingProcessFileName contains \"tomcat\"\r\n| where InitiatingProcessCommandLine endswith \"//RS//GoAnywhere\"\r\n| where ProcessCommandLine !contains @\"\\GIT\\\"\r\n| where FileName == \"cmd.exe\"\r\n| where ProcessCommandLine has_any (\"powershell.exe\", \"powershell \", \"rundll32.exe\", \"rundll32 \",\r\n\"bitsadmin.exe\", \"bitsadmin \", \"wget http\", \"quser\") or ProcessCommandLine has_all (\"nltest\",\r\n\"/dclist\") or ProcessCommandLine has_all (\"nltest\", \"/domain_trusts\") or ProcessCommandLine has_all\r\n(\"net\", \"user \", \"/add\") or ProcessCommandLine has_all (\"net\", \"user \", \" /domain\") or\r\nProcessCommandLine has_all (\"net\", \" group\", \"/domain\")\r\nStorm-1175 indicators of compromise\r\nThe following query identifies known post-compromise tools leveraged in recent GoAnywhere exploitation\r\nactivity attributed to Storm-1175. Note that the alert Ransomware-linked threat actor detected will detect these\r\nhashes. \r\nlet fileHashes = dynamic([\"4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220\",\r\n\"c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3\",\r\n\"cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3\",\r\n\"5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19\"]);\r\nunion\r\n(\r\nDeviceFileEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceFileEvents\"\r\n),\r\n(\r\nDeviceEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceEvents\"\r\n),\r\n(\r\nDeviceImageLoadEvents\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/\r\nPage 7 of 9\n\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceImageLoadEvents\"\r\n),\r\n(\r\nDeviceProcessEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceProcessEvents\"\r\n)\r\n| order by Timestamp desc\r\nIndicators of compromise\r\nFile IoCs (RMM tools in identified Storm-1175 exploitation activity):\r\n4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220 (MeshAgent SHA-256) \r\nc7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3 (SimpleHelp SHA-256) \r\ncd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3 (SimpleHelp SHA-256) \r\n5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19 (SimpleHelp SHA-256) \r\nNetwork IoCs (IPs associated with SimpleHelp):\r\n31[.]220[.]45[.]120\r\n45[.]11[.]183[.]123\r\n213[.]183[.]63[.]41\r\nReferences\r\nDeserialization Vulnerability in GoAnywhere MFT’s License Servlet (Fortra)\r\nCVE-2025-10035 Detail (CVE)\r\nCVE-2025-10035 Detail (NIST)\r\nUpgrade Process (GoAnywhere)\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X\r\n(formerly Twitter), and Bluesky.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/\r\nPage 8 of 9\n\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast.\r\nSource: https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-manage\r\nd-file-transfer-vulnerability/\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/"
	],
	"report_names": [
		"investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability"
	],
	"threat_actors": [
		{
			"id": "86e3a92b-2e59-4c29-aacb-e84f829f3e95",
			"created_at": "2026-02-03T02:00:03.437562Z",
			"updated_at": "2026-04-10T02:00:03.938623Z",
			"deleted_at": null,
			"main_name": "Storm-1175",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-1175",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434523,
	"ts_updated_at": 1775792178,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9dfa404bbc4acff4199b02ea56f64d1e790a6de.pdf",
		"text": "https://archive.orkl.eu/f9dfa404bbc4acff4199b02ea56f64d1e790a6de.txt",
		"img": "https://archive.orkl.eu/f9dfa404bbc4acff4199b02ea56f64d1e790a6de.jpg"
	}
}