Quick Takeaways
- A zero-day vulnerability (CVE-2025-10035, CVSS 10/10) in Fortra GoAnywhere MFT was exploited by the Chinese ransomware group Storm-1175 since September 11, enabling remote code execution and backdoor creation.
- Attackers used forged license signatures, remote monitoring tools, lateral movement, and C&C tunnels to compromise and control affected systems, deploying Medusa ransomware and exfiltrating data via Rclone.
- Despite patches released on September 18, authorities and Fortra did not immediately warn about exploitation, with experts suggesting attackers may have accessed or manipulated private keys critical for signature forging.
- The exploitation was only confirmed weeks later by Microsoft, highlighting delays in breach notification and raising concerns over security oversight, especially regarding private key management and disclosure.
Problem Explained
Recently, a critical vulnerability in Fortra’s GoAnywhere MFT, identified as CVE-2025-10035 with a maximum severity score, was exploited by Chinese hackers affiliated with the Storm-1175 group, a known ransomware offender. Although Fortra released patches on September 18 to address this flaw—a flaw that could enable remote command execution through a deserialization bug—the attackers had already begun exploiting it at least by September 10, before the fix was available. The hackers used this zero-day vulnerability to implant backdoors and deploy the Medusa ransomware, effectively gaining unauthorized access to internet-facing systems, creating malicious files, and using remote management tools like Rclone and MeshAgent to exfiltrate data and move laterally within compromised networks.
The incident is concerning because, despite the patches and warnings from cybersecurity firms like watchTowr and Rapid7, organizations remained vulnerable for weeks, partly due to the failure of Fortra to promptly alert users about the exploitation. Reports suggest the attackers exploited a leaked or secretly obtained ‘serverkey1’ private key, essential for forging valid license signatures that allowed them to bypass security measures. As a result, the attack not only underscores significant lapses in timely disclosure but also highlights how advanced persistent threats from state-sponsored groups are increasingly leveraging zero-day vulnerabilities for financially driven, sophisticated cyber operations, leaving affected organizations and cybersecurity authorities grappling to understand the full scope and prevent future incidents.
Risks Involved
A critical vulnerability in Fortra GoAnywhere MFT (CVE-2025-10035), with a perfect CVSS score of 10/10, was exploited as a zero-day by a Chinese ransomware group, Storm-1175, shortly after its disclosure in September. This flaw in the application’s license servlet allowed for remote code execution and was actively exploited since at least September 11, before patches were released. Attackers used forged license signatures to gain backdoor access, deploying remote management tools and creating malicious files, which enabled them to perform network discovery, lateral movement, and data exfiltration—culminating in the deployment of Medusa ransomware on compromised systems. The breach underscores a severe security lapse: despite patch releases, organizations remained vulnerable for weeks, largely due to the threat actors’ alleged access to a private server key—whose leak or theft remains unconfirmed—highlighting the risks of delayed threat detection and response, as well as the potential for devastating cyberattacks that can compromise data integrity, disrupt services, and cause financial and reputational damage on a broad scale.
Possible Actions
Addressing the Fortra GoAnywhere MFT zero-day exploit swiftly is crucial to prevent widespread ransomware attacks, protect sensitive data, and maintain organizational integrity. Delayed action can lead to devastating breaches, financial losses, and reputational harm.
Mitigation Measures
Implement immediate patching of affected systems and disable vulnerable services until updates are applied. Conduct thorough vulnerability scans to identify potential exploit points and block known malicious IPs and command-and-control servers associated with the threat.
Remediation Steps
Notify IT security teams promptly to orchestrate a coordinated response. Isolate compromised systems to prevent lateral movement across the network. Perform comprehensive forensic analysis to assess breach scope, then restore systems from secure backups and reinforce security controls to prevent future attacks.
Stay Ahead in Cybersecurity
Stay informed on the latest Threat Intelligence and Cyberattacks.
Explore engineering-led approaches to digital security at IEEE Cybersecurity.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
