"A recently patched vulnerability in Fortra GoAnywhere MFT (Managed File Transfer) was exploited as a zero-day by a Chinese ransomware group, Microsoft reports. The flaw, tracked as CVE-2025-10035 (CVSS score of 10/10), was disclosed on September 18, when Fortra rolled out patches for it. A deserialization issue in the application's license servlet, the bug can be exploited for command injection and remote code execution (RCE)."
"The ransomware gang was seen targeting internet-facing GoAnywhere MFT instances with forged license response signatures to achieve RCE. The attackers deployed the SimpleHelp and MeshAgent remote monitoring and management (RMM) tools under the GoAnywhere MFT process, and created a .jsp file within the application's directory. Next, the threat actor performed user, system, and network discovery, followed by lateral movement using mstsc.exe. Storm-1175 also set up a Cloudflare tunnel for command-and-control (C&C) communication."
An unpatched deserialization vulnerability in Fortra GoAnywhere MFT (CVE-2025-10035, CVSS 10.0) enables unauthenticated command injection and remote code execution via the application's license servlet. Exploitation began at least September 10–11, with Storm-1175 using forged license response signatures to target internet-facing instances. Attackers created backdoor administrator accounts, deployed SimpleHelp and MeshAgent RMM tools under the GoAnywhere process, dropped a .jsp webshell, and performed discovery and lateral movement via mstsc.exe. The threat group established a Cloudflare tunnel for C&C, used Rclone for data exfiltration, and deployed Medusa ransomware. Fortra has not updated its advisory to note active exploitation.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]