Perfect 10.0 CVSS Flaw in GoAnywhere MFT Exploited by Medusa Ransomware Group
Microsoft Attributes GoAnywhere MFT Zero-Day Exploitation (CVE-2025-10035) to Medusa Ransomware Operator Storm-1175
CVE Identifiers
Full Report
Executive Summary
Microsoft Threat Intelligence has formally attributed the exploitation of a maximum-severity vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) solution to the financially motivated threat group Storm-1175. The vulnerability, tracked as CVE-2025-10035, is a deserialization flaw that allows for unauthenticated remote code execution (RCE) and has been assigned a CVSS score of 10.0. Storm-1175, the operator behind the Medusa ransomware, has been actively exploiting this flaw as a zero-day since mid-September 2025. The group uses the initial access to deploy backdoors, exfiltrate data, and ultimately encrypt victim networks, posing a critical threat to users of the affected software.
Threat Overview
The attack targets GoAnywhere MFT, a popular enterprise solution for secure file transfers. The CVE-2025-10035 vulnerability allows an attacker to achieve a full system compromise without any authentication. Storm-1175 has weaponized this flaw to breach organizations across multiple sectors, including finance, healthcare, and technology. Their attack chain is methodical: gain access via the exploit, establish persistence using legitimate Remote Monitoring and Management (RMM) tools, move laterally, exfiltrate sensitive data, and then deploy the Medusa ransomware for double extortion. This follows a pattern of ransomware groups targeting MFT solutions, which are high-value targets due to the sensitive data they process and store.
Technical Analysis
CVE-2025-10035 is a deserialization vulnerability. An attacker can craft a malicious payload and send it to the server, disguised as a valid license response. When the server deserializes this malicious object, it leads to arbitrary code execution with the privileges of the GoAnywhere MFT service. This provides a direct path to system compromise.
Once inside, Storm-1175's post-exploitation TTPs include:
- Persistence: Deploying legitimate RMM tools like
SimpleHelpandMeshAgent, and placing JSP backdoors in GoAnywhere web directories. - Lateral Movement: Using Remote Desktop Protocol (RDP) to move to other systems on the network.
- Data Exfiltration: Leveraging the
Rcloneutility to copy large amounts of sensitive data to attacker-controlled cloud storage. - Impact: Deploying the Medusa ransomware to encrypt files on the compromised network.
MITRE ATT&CK Techniques
T1210 - Exploitation of Remote Services: Specifically targeting the vulnerable GoAnywhere MFT service.T1203 - Exploitation for Client Execution: The core of the attack, leveraging a deserialization flaw.T1219 - Remote Access Software: UsingSimpleHelpandMeshAgentfor persistent C2.T1572 - Protocol Tunneling: RDP used for lateral movement.T1567.002 - Exfiltration to Cloud Storage: UsingRcloneto steal data.T1486 - Data Encrypted for Impact: The final payload delivery of Medusa ransomware.
Impact Assessment
A CVSS 10.0 vulnerability in a widely used MFT solution represents a worst-case scenario for affected organizations. Successful exploitation grants attackers complete control over a system designed to handle a company's most sensitive data transfers. The consequences include immediate data breach, massive operational disruption from ransomware, significant financial costs for recovery and potential ransom payments, and severe reputational damage. The targeting of finance and healthcare sectors raises the stakes, with potential for regulatory penalties under frameworks like HIPAA and GLBA.
Cyber Observables for Detection
| Type | Value | Description |
|---|---|---|
| file_name | SimpleHelp.exe, MeshAgent.exe |
Presence of these legitimate RMM tools in unexpected locations or on MFT servers. |
| file_name | *.jsp |
Look for newly created or modified JSP files in the GoAnywhere web directories, which could be backdoors. |
| process_name | rclone.exe |
The execution of the Rclone tool on servers is a major red flag for data exfiltration. |
| network_traffic_pattern | Connections to mega.nz, pcloud.com |
Rclone is often configured to exfiltrate data to these and other cloud storage providers. |
| log_source | GoAnywhere MFT Audit Logs |
Review for anomalous license update activities or errors that could indicate an exploit attempt. |
Detection & Response
- Vulnerability Scanning: Immediately scan your environment for vulnerable instances of GoAnywhere MFT. Prioritize internet-facing systems.
- Log and Network Monitoring: Monitor for the IOCs listed above. Pay close attention to outbound network traffic from MFT servers to cloud storage providers. Use D3FEND's
Network Traffic Analysis (D3-NTA)to spot anomalous connections. - File Integrity Monitoring: Implement FIM on GoAnywhere MFT servers to detect the creation of suspicious JSP files or the presence of tools like
Rclone,SimpleHelp, orMeshAgent. - Process Monitoring: Use an EDR to monitor for the execution of these tools and alert security teams immediately. This aligns with D3FEND's
Process Analysis (D3-PA).
Mitigation
- Patch Immediately: Apply the patch provided by Fortra in GoAnywhere MFT version 7.8.4. This is the most critical step and falls under D3FEND's
Software Update (D3-SU). - Reduce Attack Surface: If patching is delayed, restrict access to the GoAnywhere MFT web interface to trusted IP addresses only. Do not expose the administrative interface to the public internet. This is a form of D3FEND's
Inbound Traffic Filtering (D3-ITF). - Egress Filtering: Block outbound traffic from MFT servers to known cloud storage providers and other destinations not required for legitimate business operations. This can prevent or disrupt the data exfiltration stage.
- Application Control: Use application allowlisting to prevent the execution of unauthorized software like
Rcloneand RMM tools on MFT servers.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Apply the patch from Fortra (version 7.8.4) to remediate the vulnerability.
Mapped D3FEND Techniques:
Restrict network access to the GoAnywhere MFT administrative interface.
Mapped D3FEND Techniques:
Filter Network Traffic
Implement egress filtering to block connections to unauthorized cloud storage providers.
Mapped D3FEND Techniques:
Execution Prevention
Use application control to prevent unauthorized tools like Rclone from running on MFT servers.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
The immediate and most crucial action for all organizations using Fortra's GoAnywhere MFT is to upgrade to the patched version 7.8.4 or later. Given the 10.0 CVSS score and active exploitation by a known ransomware group, this should be treated as an emergency change. Prioritize patching on internet-facing systems immediately. After patching, it is vital to verify the update was successful and then to initiate a threat hunt for any signs of compromise that may have occurred prior to the patch being applied, as exploitation was observed in the wild before the patch was widely available. Maintaining an aggressive patch management cycle for critical, internet-exposed infrastructure like MFT solutions is non-negotiable in the current threat environment.
Implement strict outbound traffic filtering (egress filtering) on the firewalls protecting GoAnywhere MFT servers. The default policy should be to deny all outbound connections. Explicit allow rules should then be created only for known, legitimate business destinations. This countermeasure is highly effective at disrupting the Storm-1175 attack chain, specifically the data exfiltration phase using Rclone. By blocking connections to common cloud storage providers (e.g., Mega, pCloud, etc.) and other non-essential internet services, you can prevent attackers from stealing data, which is a precursor to the Medusa ransomware deployment. This forces the attacker's C2 and exfiltration tools to fail, generating noise that can be detected by network monitoring systems.
On the servers hosting GoAnywhere MFT, deploy application allowlisting technologies like AppLocker. This hardens the system by preventing the execution of any unauthorized software. In the context of this attack, it would block Storm-1175 from running post-exploitation tools such as Rclone.exe, SimpleHelp.exe, and MeshAgent.exe. The allowlist should be configured in a 'default deny' mode, only permitting the core GoAnywhere MFT binaries and essential operating system processes to run. This effectively neutralizes the attacker's ability to establish persistence with RMM tools or use utilities for data exfiltration, forcing them to rely on more complex and potentially easier-to-detect living-off-the-land binaries and scripts.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats