Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-10035: Critical GoAnywhere MFT Vulnerability Could Lead to Command Injection
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
May 25, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
May 22, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Sep 22, 2025
5 Mins Read
Oct 08, 2025
Moon

CVE-2025-10035: Critical GoAnywhere MFT Vulnerability Could Lead to Command Injection

[Update] October 7, 2025: Added details on active exploitation of CVE-2025-10035 by Storm-1175 to deploy Medusa ransomware, following Microsoft’s latest confirmation. 

[Update] CVE-2025-10035 Added to CISA’s KEV Catalog

Secure file transfer platforms are frequent targets for cyberattacks, and a recently revealed flaw in Fortra’s GoAnywhere MFT highlights this ongoing risk. A critical vulnerability in the platform’s License Servlet, tracked as CVE-2025-10035, could open the door to severe exploitation if left unpatched. With a maximum severity score, this issue demands immediate attention from administrators.

What Is CVE-2025-10035?

CVE-2025-10035 (CVSS 10.0) arises from improper deserialization within the License Servlet component of GoAnywhere MFT. By forging a valid license response signature, an attacker could trick the system into loading a malicious object. This process can escalate to command injection, potentially giving an adversary broad control over the targeted environment.

This vulnerability can be exploited remotely, without user interaction, and with minimal complexity, meaning an attacker does not need advanced skills or privileged access to launch an attack. The only major prerequisite is that the Admin Console is accessible externally, a common configuration for many organizations.

CVE-2025-10035 (SOCRadar Vulnerability Intelligence)

CVE-2025-10035 (SOCRadar Vulnerability Intelligence)

According to Fortra, the issue was uncovered during a security check on September 11, 2025 and disclosed publicly on September 18, 2025.

Who Is Impacted?

The vulnerability specifically affects instances of GoAnywhere MFT where the Admin Console is accessible over the internet. Systems restricted to internal networks face a significantly lower risk, but those exposed online are highly susceptible.

Administrators can determine potential compromise by scanning their Admin Audit logs and error files. One red flag is the presence of error messages containing SignedObject.getObject, which signals that the instance may have processed a malicious license response.

Has CVE-2025-10035 Been Exploited?

Microsoft has confirmed that the cybercrime group Storm-1175, a Medusa ransomware affiliate, has been actively exploiting CVE-2025-10035 since at least September 11, 2025.  Although Fortra released a patch, researchers at WatchTowr Labs later confirmed that the vulnerability had been exploited as a zero-day for nearly a week prior to the update.

Medusa Ransomware's threat actor card

Medusa Ransomware’s threat actor card

According to Microsoft’s investigation, the attackers leveraged this GoAnywhere MFT deserialization flaw for initial access before deploying RMM tools like SimpleHelp and MeshAgent to maintain persistence.

Subsequent stages involved network reconnaissance using Netscan, lateral movement through Remote Desktop Connection (mstsc.exe), data exfiltration with Rclone, and finally, file encryption with Medusa ransomware payloads.

The flaw, patched by Fortra was confirmed after the patch by WatchTowr Labs to have been exploited as a zero-day for nearly a week prior. Over 500 exposed GoAnywhere instances remain under observation by researchers, emphasizing the need for immediate patching and log reviews for SignedObject.getObject entries.

What’s the Exposure Scope?

At the time of writing, Shadowserver is tracking more than 450 GoAnywhere MFT instances reachable over the internet, although the exact number of unpatched systems remains unclear.

GoAnywhere MFT instances exposed over the internet (Shadowserver)

GoAnywhere MFT instances exposed over the internet (Shadowserver

History also proves that the risk is real. GoAnywhere MFT was previously exploited through CVE-2023-0669; in these attacks, the Clop ransomware group claimed responsibility for breaching numerous organizations. That earlier flaw triggered a surge in ransomware incidents, making the newly disclosed CVE-2025-10035 a prime candidate for future attacks.

Recommended Mitigation Steps

Fortra has already issued patches addressing CVE-2025-10035. Customers are strongly advised to:

  • Upgrade immediately to GoAnywhere MFT 7.8.4 or the Sustain Release 7.6.3.
  • If upgrading is not possible, restrict external access to the Admin Console to reduce exposure.
  • Regularly monitor logs for anomalies, especially entries related to SignedObject.getObject.

For further technical details and updates, refer to Fortra’s official advisory.

CVE-2025-10035 Added to CISA’s KEV Catalog

As of September 29, 2025, CISA has added CVE-2025-10035 in Fortra GoAnywhere MFT to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must remediate the issue or discontinue use of affected versions by October 20, 2025.

Close the Gaps in Your Attack Surface

Blind spots often go unnoticed until attackers exploit them. Exposed assets, unpatched vulnerabilities, or forgotten services can quietly expand your attack surface.

SOCRadar’s Attack Surface Management (ASM) continuously scans your external environment to uncover these weak points, while Vulnerability Intelligence adds context by tracking new CVEs, active exploits, and real-world attacker activity.

Monitor company vulnerabilities via SOCRadar’s Attack Surface Management (ASM)

Monitor company vulnerabilities via SOCRadar’s Attack Surface Management (ASM)

Together, they give your security team the visibility and actionable intelligence needed to prioritize patches, close gaps faster, and reduce the chance of becoming the next target.

Indicators of Compromise (IOCs)

File hashes:

  • 4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220 (MeshAgent SHA-256)
  • c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3 (SimpleHelp SHA-256)
  • cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3 (SimpleHelp SHA-256)
  • 5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19 (SimpleHelp SHA-256)

IP addresses:

  • 31[.]220[.]45[.]120
  • 45[.]11[.]183[.]123
  • 213[.]183[.]63[.]41