A threat group Microsoft tracks as China-based Storm-1175 — best known for deploying the
Medusa ransomware — was observed exploiting a 10.0 deserialization flaw in Fortra’s secure transfer
GoAnywhere’s MFT License Servlet.
In its
Oct. 6 blog post, Microsoft researchers said successful exploitation of the critical flaw,
CVE-2025-10035, lets attackers perform system- and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware.
Microsoft recommended that security teams patch immediately, review license verification mechanisms, and closely monitor GoAnywhere MFT environments for suspicious activity.
Researchers at the Shadowserver Foundation are
reportedly now monitoring
more than 500 GoAnywhere MFT instances exposed online.
The report by Microsoft confirms a
Sept. 25 post by WatchTwer that the Fortra deserialization flaw was actively exploited at least eight days before Fortra released patches on Sept. 18. Microsoft Defender researchers said in the Oct. 6 post it observed exploitation by Storm-1175 on Sept. 11.
Echoes of MOVEit transfer incident
Security pros agreed that teams should patch immediately, as the exploitation of the GoAnywhere MFT software echoes the
MOVEit transfer case of 2023.“Microsoft has connected the Medusa ransomware group to the recent exploitation of a serious GoAnywhere MFT vulnerability, which is similar to the large-scale MOVEit attacks,” said Noelle Murata, senior security engineer at Xcape, Inc. “Attackers have allegedly used this flaw for over a month to remotely execute code, install remote management tools, steal data, and deploy ransomware.”
Murata said the campaign's scope and discretion suggest a coordinated effort to exploit unpatched systems. Murata said security teams should immediately patch GoAnywhere, check for signs of compromise, change credentials, and improve monitoring to stop further spread.
“This attack highlights the ongoing targeting of file transfer platforms as valuable entry points,” said Murata.
Nick Dixon, security operations and Support Manager at Blumira, concurred that this Fortra GoAnywhere exploitation reminds us of the 2023 MOVEit attack, following a near-identical playbook as it leverages a zero-day in MFT software exploited by ransomware operators for stealthy initial access.
“It also mirrors MOVEit with attacks hitting the wild about a week before the Sept. 18 patch, as [GoAnywhere] exploitation dates back to at least Sept. 10,” said Dixon. “This low-complexity, remote-executable flaw could snowball into MOVEit-level chaos, but one key difference tempers the scale: Per Shadowserver monitoring, only about 500 GoAnywhere instances are exposed online, whereas MOVEit saw more than 60,000. In this case, fewer organizations are likely at direct risk.”
