Source URL: https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/
Source: Microsoft Security Blog
Title: Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability
Feedly Summary: Storm-1175, a financially motivated actor known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the deserialization vulnerability in GoAnywhere MFT’s License Servlet, tracked as CVE-2025-10035. We are publishing this blog post to increase awareness of this threat and to share end-to-end protection coverage details across Microsoft Defender.
The post Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability appeared first on Microsoft Security Blog.
AI Summary and Description: Yes
Summary: The text provides a detailed security advisory regarding a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT, highlighting its implications for remote code execution and malicious exploitation by the cybercriminal group Storm-1175. It emphasizes the urgency of immediate patching to mitigate risks and outlines essential protective measures for organizations.
Detailed Description:
This security advisory details a critical vulnerability in GoAnywhere Managed File Transfer (MFT) that could have severe implications if exploited. The main points of the advisory include:
– **Vulnerability Overview**:
– The flaw is a deserialization vulnerability in GoAnywhere MFT’s License Servlet, assigned CVE-2025-10035, with a CVSS score of 10.0, indicating its critical severity.
– It could be exploited by an attacker with a forged license response signature, allowing command injection and potential remote code execution (RCE).
– **Threat Actor Activity**:
– The cybercriminal group Storm-1175 has been observed exploiting this vulnerability.
– Their tactics involved initial access gained through the vulnerability, using remote monitoring and management tools like SimpleHelp and MeshAgent for persistence.
– They executed commands for user and system discovery and employed Rclone for data exfiltration, culminating in the deployment of Medusa ransomware.
– **Mitigation Strategies**:
– Organizations are urged to upgrade to the latest version of GoAnywhere MFT per Fortra’s guidance.
– Recommendations for securing systems include:
– Use of attack surface management tools for identifying vulnerable systems.
– Configuration of perimeter firewalls to limit arbitrary internet access.
– Employing endpoint detection and response tools in block mode for better protection against malicious artifacts.
– **Microsoft Defender Protections**:
– Microsoft has rolled out protective measures within Microsoft Defender post-discovery of the vulnerability.
– Tools and tactics are discussed for detection and protection, such as leveraging Microsoft Defender for Endpoint for alerts related to exploitation attempts.
– **Security Copilot Features**:
– Introduction of Microsoft Security Copilot to help automate incident response and investigation tasks related to the vulnerability.
– Details are provided on threat analytics, hunting queries, and indicators of compromise that organizations can utilize for enhanced security.
– **Recommendations for Organizations**:
– Immediate action is necessary to mitigate risks associated with the vulnerability.
– Continuous monitoring and reviewing license verification mechanisms to identify and address suspicious activities are essential.
Overall, the advisory underscores the critical nature of CVE-2025-10035 and offers substantial guidance for IT and security professionals to safeguard their environments against potential exploitation.