A newly disclosed vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT), tracked as CVE-2025-10035, has rapidly escalated into a serious security incident: the flaw is a deserialization bug in the License Servlet allowing command injection via a forged license response signature, and security researchers report credible evidence that it was exploited in the wild as early as September 10, 2025 — eight days before public disclosure. Microsoft‘s security team attributes ongoing attacks to a known threat actor group, Storm-1175, which has leveraged the vulnerability in multiple stages including remote monitoring tool deployment, lateral movement, and ransomware installation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-10035 to its Known Exploited Vulnerabilities (KEV) list and ordered federal civilian agencies to remediate the flaw by October 20, 2025. Users of GoAnywhere MFT are urged to immediately patch to versions 7.8.4 (or 7.6.3 for sustain release) and isolate the Admin Console from public network exposure.
Key Takeaways
– CVE-2025-10035 is a critical, unauthenticated deserialization vulnerability in the GoAnywhere License Servlet, rated CVSS 10.0, which enables remote code execution via a forged license response signature.
– Evidence suggests the vulnerability was being actively exploited well before the public patch release, and a known ransomware-capable threat group (Storm-1175) is tied to real attacks leveraging it.
– Because the exploit depends on Admin Console exposure, immediate mitigation steps include patching to GoAnywhere MFT 7.8.4 or sustain release 7.6.3, removing public access to the administration interface, and monitoring for suspicious “SignedObject.getObject” log entries.
In-Depth
This incident underscores once again how enterprise file transfer software can become a prime target for attackers, especially when flaws allow unauthenticated access to critical internal mechanisms. The root of the problem lies in GoAnywhere’s License Servlet, which, in vulnerable versions (pre-7.8.4 or pre-7.6.3 sustain), fails to sufficiently validate serialized data. If an attacker can forge a license response signature, they can cause the system to deserialize attacker-controlled objects, leading to arbitrary code execution deep inside the server environment.
What intensifies the severity here is that exploitation does not require prior authentication; an attacker merely needs network access to the vulnerable endpoint. That means that any Admin Console or License interface exposed to the internet becomes a direct attack vector. Security firms — in particular watchTowr — assert they have credible evidence of exploitation dating back to September 10, 2025, which predates the public advisory on September 18. This timeline suggests that attackers leveraged zero-day capabilities before most defenders had awareness or time to respond.
Microsoft’s reporting ties the exploitation to Storm-1175, a group already known for deploying the Medusa ransomware family. In observed campaigns, the attackers exploited CVE-2025-10035 for initial access, dropped remote monitoring/management (RMM) tools like SimpleHelp and MeshAgent, planted web shells (.jsp files), used internal discovery (e.g. netscan) and lateral movement (mstsc.exe), and set up command-and-control infrastructure (sometimes via Cloudflare tunnels). The final payload in at least one observed environment was Medusa ransomware.
Given the confirmed exploitation and the critical nature of this flaw, U.S. federal agencies were mandated to patch by October 20 via CISA’s binding directive, and the CVE has now been listed in the KEV catalog. But this isn’t just a U.S. government issue — any organization using GoAnywhere MFT faces serious risk if their Admin Console is exposed or their instances are unpatched.
For defenders, patching is the first priority. But for systems that can’t be updated immediately, the workaround is to entirely restrict public access to the Admin / License endpoints — e.g., placing them behind VPN/NAT, firewall rules, or segmentation. Log monitoring is also essential: look for license validation activity, deserialization errors involving “SignedObject.getObject,” or the use of RMM tools in odd contexts. Threat hunting hammering on indicators tied to Storm-1175’s known toolset and tactics is warranted.
In the broader picture, this flaw mirrors earlier exploits of managed file transfer platforms (such as MOVEit, Accellion, or earlier GoAnywhere vulnerabilities), reinforcing a pattern: systems designed to move sensitive data between systems (often under the assumption of internal trust) become high-value targets when a single flaw unlocks administrative power. Organizations must maintain defense in depth: network exposure controls, aggressive patch cycles, layered monitoring, and incident readiness. In this case, the margin for delay is slim — the evidence suggests attacks are already underway, making urgent remediation not just best practice, but imperative.