- CVE-2025-10035 in GoanyWhere MFT is utilized by Ransomware Group Storm-1175
- Vulnerability enables unauthorized execution of remote code; Medusa Ransomware was inserted into at least one case
- Patch released September 18; Over 500 cases remain exposed and calls for immediate upgrades or mitigation
Microsoft warns that a ransomware group is utilizing a vulnerability in the maximum severity found recently in Goany Where Managed File Transfer (MFT).
Fortra recently said that it discovered and patched a essialization vulnerability in the license servlet to Goanywhere MFT, a tool that helps companies send and receive files safely.
The error traced as CVE-2025-10035, and assigned the maximum severity (10/10-critical) allows threat actors with a validly counterfeit license response to deserialize a random actor-controlled object, “possibly lead to command injection.”
Storm-1175
Shortly thereafter, security researchers reported Watchtowr Labs finding “credible evidence” that the error was used as a zero day, already 10 September. At that time, there was no attribution – we did not know who used the error, for what purpose and against which companies.
Now Microsoft released a new report and pointed his finger to a threat actor, it tracks like Storm-1175.
“Microsoft defendants scientists identified exploitation activity in several organizations adapted to tactics, techniques and procedures (TTPs) attributed to Storm-1175,” Microsoft said in the report. “Related activity was observed on September 11, 2025.”
Microsoft also said the group used the vulnerability to infect its goals with the Medusa Ransomware tribe.
“In the end, it was observed in a compromised environment the successful implementation of Medusa Ransomware,” it concluded.
Patch for the vulnerability was released on September 18, but it is safe to assume that not all of them have already been corrected. The Shadows Server Foundation says there are currently more than 500 Goanywhere MFT deposits postponed online, but it is unclear how many of them are patched.
The best way to protect against the attacks is to upgrade to a patched version, either the latest release (7.8.4) or Sustain Release 7.6.3.
Those who cannot patch up at this point can remove Goanywhere from the public Internet through the admin console, and those who suspect they may have been targeted should inspect logs for errors containing the string ‘Signedobject.getObject’.
Via Bleeping computer
