"CVE-2025-10035 is a critical deserialisation flaw - bearing a CVSS score of 10.0 - in the GoAnywhere MFT licence servlet. Left unaddressed, it enables a threat actor who has obtained a validly forged licence response signature to deserialise an arbitrary, actor-controlled object. Early reports suggest that an attacker does not need to authenticate if they can craft or intercept a valid licence response, making internet-exposed instances of GoAnywhere particularly vulnerable. Ultimately, exploitation can lead to command injection and remote code execution."
"Microsoft said it had identified a multi-stage attack chain in which the original zero-day was exploited in the manner already detailed, after which the gang abused the SimpleHelp and MeshAgent remote monitoring and management (RMM) tools to maintain persistence. Storm-1175 then ran user and system discovery commands and deployed tools such as netscan for network discovery, before using mstsc.exe to conduct lateral movement. Command and control is achieved with RMM tools, and the gang has even used a Cloudflare tunnel for secure communications."
CVE-2025-10035 is a critical deserialisation vulnerability in the GoAnywhere MFT licence servlet with a CVSS score of 10.0 that allows deserialisation of actor-controlled objects when a validly forged licence response signature is obtained. Internet-exposed instances are vulnerable because an attacker can craft or intercept a valid licence response without authenticating. Exploitation can lead to command injection and remote code execution. Fortra released a patch and advisory on 18 September. Microsoft observed Storm-1175 exploiting the flaw on 11 September, using a multi-stage chain that employed SimpleHelp and MeshAgent RMM tools for persistence, discovery tools and C2 via RMM and a Cloudflare tunnel, and Rclone for exfiltration.
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]