{"id":26020,"date":"2025-10-06T10:22:27","date_gmt":"2025-10-06T18:22:27","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2025\/10\/06\/news-19739\/"},"modified":"2025-10-06T10:22:27","modified_gmt":"2025-10-06T18:22:27","slug":"news-19739","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2025\/10\/06\/news-19739\/","title":{"rendered":"Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft Threat Intelligence| Date: Mon, 06 Oct 2025 17:00:00 +0000<\/strong><\/p>\n<p class=\"wp-block-paragraph\">On September 18, 2025, Fortra published a <a href=\"https:\/\/www.fortra.com\/security\/advisories\/product-security\/fi-2025-012\">security advisory<\/a> regarding a critical deserialization vulnerability in GoAnywhere MFT&#8217;s License Servlet, which is tracked as <a href=\"https:\/\/www.cve.org\/cverecord?id=CVE-2025-10035\">CVE-2025-10035<\/a> and has a CVSS score of 10.0. The vulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection and potential remote code execution (RCE). A cybercriminal group tracked by Microsoft Threat Intelligence as Storm-1175, known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the vulnerability.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft urges customers to upgrade to the latest version following Fortra\u2019s recommendations. &nbsp;We are publishing this blog post&nbsp;to&nbsp;increase&nbsp;awareness of this threat and to share end-to-end&nbsp;protection coverage details&nbsp;across&nbsp;Microsoft Defender, as well as security posture hardening recommendations&nbsp;for customers.<\/p>\n<h2 class=\"wp-block-heading\" id=\"vulnerability-analysis\">Vulnerability analysis&nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">The vulnerability, tracked as CVE-2025-10035, is a critical deserialization flaw impacting GoAnywhere MFT\u2019s License Servlet Admin Console versions up to 7.8.3. It enables an attacker to bypass signature verification by crafting a forged license response signature, which then allows the deserialization of arbitrary, attacker-controlled objects.<\/p>\n<p class=\"wp-block-paragraph\">Successful exploitation could result in command injection and potential RCE on the affected system. Public reports indicate that exploitation does not require authentication if the attacker can craft or intercept valid license responses, making this vulnerability particularly dangerous for internet-exposed instances.<\/p>\n<p class=\"wp-block-paragraph\">The impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware. Public advisories recommend immediate patching, reviewing license verification mechanisms, and closely monitoring for suspicious activity in GoAnywhere MFT environments to mitigate risks associated with this vulnerability.<\/p>\n<h2 class=\"wp-block-heading\" id=\"exploitation-activity-by-storm-1175\">Exploitation activity by Storm-1175 &nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175. Related activity was observed on September 11, 2025.<\/p>\n<p class=\"wp-block-paragraph\">An analysis of the threat actor\u2019s TTPs reveals a multi-stage attack. For initial access, the threat actor exploited the then-zero-day deserialization vulnerability in GoAnywhere MFT. To maintain persistence, they abused remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent. They dropped the RMM binaries directly under the GoAnywhere MFT process. In addition to these RMM payloads, the creation of <em>.jsp<\/em> files within the GoAnywhere MFT directories was observed, often at the same time as the dropped RMM tools.<\/p>\n<p class=\"wp-block-paragraph\">The threat actor then executed user and system discovery commands and deployed tools like netscan for network discovery. Lateral movement was achieved using <em>mstsc.exe<\/em>, allowing the threat actor to move across systems within the compromised network.<\/p>\n<p class=\"wp-block-paragraph\">For command and control (C2), the threat actor utilized RMM tools to establish their infrastructure and even set up a Cloudflare tunnel for secure C2 communication. During the exfiltration stage, the deployment and execution of Rclone was observed in at least one victim environment. Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed.<\/p>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-protection-guidance\">Mitigation and protection guidance<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft recommends the following mitigations to reduce the impact of this threat.&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Upgrade to the latest version following\u00a0<a href=\"https:\/\/www.goanywhere.com\/resources\/articles\/how-to-upgrade-goanywhere-mft%22%20\/t%20%22_blank\">Fortra\u2019s recommendations<\/a>. Note that upgrading does not address previous exploitation activity, and review of the impacted system may be required.\u00a0<\/li>\n<li class=\"wp-block-list-item\">Use an enterprise attack surface management product, like Microsoft Defender External Attack Surface Management (Defender\u00a0EASM), to discover unpatched systems on your perimeter.\u00a0<\/li>\n<li class=\"wp-block-list-item\">Check your perimeter firewall and proxy to ensure servers are restricted from accessing the internet for arbitrary connections, like browsing and downloads. Such restrictions help inhibit malware downloads and command-and-control activity.\u00a0<\/li>\n<li class=\"wp-block-list-item\">Run\u00a0<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/edr-in-block-mode?ocid=magicti_ta_learndoc\">endpoint detection and response (EDR) in block mode<\/a>\u00a0so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\u00a0<\/li>\n<li class=\"wp-block-list-item\">Enable\u00a0<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/automated-investigations?ocid=magicti_ta_learndoc\">investigation and remediation<\/a>\u00a0in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\u00a0<\/li>\n<li class=\"wp-block-list-item\">Turn on\u00a0<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc\">block mode<\/a>\u00a0in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.\u00a0<\/li>\n<li class=\"wp-block-list-item\">Microsoft Defender customers can turn on\u00a0<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction?ocid=magicti_ta_learndoc\">attack surface reduction rules<\/a>\u00a0to prevent common attack techniques used in ransomware attacks. Attack surface reduction rules are sweeping settings that are effective at stopping entire classes of threats:\u00a0\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion\">Block executable files from running unless they meet a prevalence, age, or trusted list criterion<\/a>\u00a0<\/li>\n<\/ul>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#use-advanced-protection-against-ransomware\">Use advanced protection against ransomware<\/a>\u00a0<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-webshell-creation-for-servers\">Block web shell creation for servers<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-detections\">Microsoft Defender XDR detections<\/h2>\n<p class=\"wp-block-paragraph\">Following the release of the vulnerability, the Microsoft Defender Research Team ensured that protections are deployed for customers, from ensuring that Microsoft Defender Vulnerability Management correctly identifies and surfaces all vulnerable devices in impacted customer environments, to building Microsoft Defender for Endpoint detections and alerting along the attack chain.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft Defender Vulnerability Management customers can search for this vulnerability in the Defender Portal or navigate directly to the CVE page to view a detailed list of the exposed devices within their organization.<\/p>\n<p class=\"wp-block-paragraph\">Customers of Microsoft Defender Experts for XDR that might have been impacted have also been notified of any post-exploitation activity and recommended actions.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Customers with provisioned access can also use <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/security-copilot-in-microsoft-365-defender\">Microsoft Security Copilot in Microsoft Defender<\/a> to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Tactic<\/strong>&nbsp;<\/td>\n<td><strong>Observed activity<\/strong>&nbsp;<\/td>\n<td><strong>Microsoft Defender coverage<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td><strong>Initial access<\/strong>&nbsp;<\/td>\n<td>Exploitation of GoAnywhere MFT via deserialization in Licensing Service<\/td>\n<td><strong>Microsoft Defender for Endpoint <\/strong>detects possible exploitation via the following alert: <br \/>&#8211; Possible exploitation of GoAnywhere MFT vulnerability\u00a0 \u00a0 <\/p>\n<p><strong>Microsoft Defender Experts for XDR<\/strong>\u00a0can detect possible exploitation via the following alerts: <br \/>&#8211; Possible exploitation of vulnerability in GoAnywhere Tomcat<br \/>&#8211; Possible discovery activity following successful Tomcat vulnerability exploitation<\/p>\n<p><strong>Microsoft Defender Vulnerability Management<\/strong> <strong>(MDVM)<\/strong> surfaces devices vulnerable to CVE-2025-10035.<\/p>\n<p><strong>Microsoft Defender External Attack Surface Management\u00a0<\/strong>Attack Surface Insights with the following title can indicate vulnerable devices on your network but is not necessarily indicative of exploitation:\u00a0 <br \/>&#8211; [Potential]\u00a0CVE-2025-10035 &#8211; GoAnywhere MFT Command Injection via Deserialization in Licensing Service\u00a0<\/p>\n<p>(<strong>Note<\/strong>: An Attack Surface Insight marked as\u00a0potential\u00a0indicates a service is running but cannot validate whether that service is running a vulnerable version. Check resources to verify that they are up to date.)<\/td>\n<\/tr>\n<tr>\n<td><strong>Persistence<\/strong>&nbsp;<\/td>\n<td>Dropping and abuse of remote monitoring and management (RMM) tool and suspected web shell deployment; creation of <em>.jsp<\/em> files within the GoAnywhere MFT directories&nbsp;<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong> detects possible signs of the attacker deploying persistence mechanisms via the following alerts: <br \/>&#8211; Uncommon remote access software\u00a0<br \/>&#8211; Remote access software\u00a0<br \/>&#8211; Suspicious file dropped and launched\u00a0<br \/>&#8211; Suspicious service launched\u00a0<br \/>&#8211; Suspicious account creation\u00a0<br \/>&#8211; User account created under suspicious circumstances\u00a0<br \/>&#8211; New local admin added using Net commands\u00a0<br \/>&#8211; New group added suspiciously\u00a0<br \/>&#8211; Suspicious Windows account manipulation\u00a0<br \/>&#8211; Ransomware-linked threat actor detected\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Discovery<\/strong>&nbsp;<\/td>\n<td>User and system discovery commands; deployment of tools such as netscan for network discovery<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong>\u00a0detects malicious exploration activities via the following alerts:<br \/>&#8211; Suspicious sequence of exploration activities<br \/>&#8211; Anomalous account lookups\u00a0<br \/>&#8211; Suspicious Windows account manipulation<\/td>\n<\/tr>\n<tr>\n<td><strong>Command and control<\/strong>&nbsp;<\/td>\n<td>Use of RMM tools for establishing C2 infrastructure and setup of Cloudflare tunnel for secure C2 communication&nbsp;<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong> detects C2 activities observed in this campaign via the following alerts: <br \/>&#8211; Uncommon remote access software\u00a0<br \/>&#8211; Remote access software\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Exfiltration<\/strong>&nbsp;<\/td>\n<td>Rclone deployment and execution<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong>\u00a0detects exfiltration activities observed in this campaign via the following alert: <br \/>&#8211; Ransomware-linked threat actor detected\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Actions on objectives<\/strong>&nbsp;<\/td>\n<td>Deployment of Medusa ransomware&nbsp;<\/td>\n<td><strong>Microsoft Defender Antivirus<\/strong> detects the ransomware payload used in this attack as the following threat: <br \/>&#8211; <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Ransom:Win32\/Medusa.PA!MTB&amp;threatId=-2147079865\">Ransom:Win32\/Medusa<\/a> \u00a0 <\/p>\n<p><strong>Microsoft Defender for Endpoint<\/strong>\u00a0detects the ransomware payload via the following alerts:<br \/>&#8211; Ransomware-linked threat actor detected\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot<\/h2>\n<p class=\"wp-block-paragraph\">Security Copilot customers can use the standalone experience to <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/prompting-security-copilot#create-your-own-prompts\">create their own prompts<\/a> or run the following <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/using-promptbooks\">prebuilt promptbooks<\/a> to automate incident response or investigation tasks related to this threat:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Incident investigation<\/li>\n<li class=\"wp-block-list-item\">Microsoft User analysis<\/li>\n<li class=\"wp-block-list-item\">Threat actor profile<\/li>\n<li class=\"wp-block-list-item\">Threat Intelligence 360 report based on MDTI article<\/li>\n<li class=\"wp-block-list-item\">Vulnerability impact assessment<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.<strong><\/strong><\/p>\n<h2 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-threat-analytics\">Microsoft Defender XDR threat analytics<\/h3>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/security.microsoft.com\/intel-profiles\/CVE-2025-10035\">Vulnerability profile: CVE-2025-10035 &#8211; GoAnywhere Managed File Transfer<\/a><\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/security.microsoft.com\/intel-profiles\/5b27d7d5d327dcf79270601aac97d735449f7463a8cb0d06d3f117d4c29cdb83\">Actor profile: Storm-1175<\/a><\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Microsoft Security Copilot customers can also use the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/security-copilot-and-defender-threat-intelligence?bc=%2Fsecurity-copilot%2Fbreadcrumb%2Ftoc.json&amp;toc=%2Fsecurity-copilot%2Ftoc.json#turn-on-the-security-copilot-integration-in-defender-ti\">Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/using-copilot-threat-intelligence-defender-xdr\">embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n<h2 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries<\/h2>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-xdr\">Microsoft Defender XDR<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can run the following query to find related activity in their networks:<\/p>\n<p class=\"wp-block-paragraph\"><strong>Vulnerable devices<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Find devices affected by the CVE-2025-10035 vulnerability.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\"> DeviceTvmSoftwareVulnerabilities  | where CveId in (\"CVE-2025-10035\")  | summarize by DeviceName, CveId <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Possible GoAnywhere MFT exploitation<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Look for suspicious PowerShell commands indicative of GoAnywhere MFT exploitation. These commands are also detected with the Defender for Endpoint alert&nbsp;<em>Possible exploitation of GoAnywhere MFT vulnerability<\/em>.&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\"> DeviceProcessEvents | where InitiatingProcessFolderPath contains @\"GoAnywhere\" | where InitiatingProcessFileName contains \"tomcat\" | where InitiatingProcessCommandLine endswith \"\/\/RS\/\/GoAnywhere\" | where FileName == \"powershell.exe\" | where ProcessCommandLine has_any (\"whoami\", \"systeminfo\", \"net user\", \"net group\", \"localgroup administrators\", \"nltest \/trusted_domains\", \"dsquery\", \"samaccountname=\", \"query session\", \"adscredentials\", \"o365accountconfiguration\", \"Invoke-Expression\", \"DownloadString\", \"DownloadFile\", \"FromBase64String\",  \"System.IO.Compression\", \"System.IO.MemoryStream\", \"iex \", \"iex(\", \"Invoke-WebRequest\", \"set-MpPreference\", \"add-MpPreference\", \"certutil\", \"bitsadmin\") <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\">Look for suspicious cmd.exe commands launched after possible GoAnywhere MFT exploitation. These commands are also detected with the Defender for Endpoint alert\u00a0<em>Possible exploitation of GoAnywhere MFT vulnerability<\/em>.\u00a0<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\"> DeviceProcessEvents | where InitiatingProcessFolderPath contains @\"GoAnywhere\" | where InitiatingProcessFileName contains \"tomcat\" | where InitiatingProcessCommandLine endswith \"\/\/RS\/\/GoAnywhere\" | where ProcessCommandLine !contains @\"GIT\" | where FileName == \"cmd.exe\" | where ProcessCommandLine has_any (\"powershell.exe\", \"powershell \", \"rundll32.exe\", \"rundll32 \", \"bitsadmin.exe\", \"bitsadmin \", \"wget http\", \"quser\") or ProcessCommandLine has_all (\"nltest\", \"\/dclist\") or ProcessCommandLine has_all (\"nltest\", \"\/domain_trusts\") or ProcessCommandLine has_all (\"net\", \"user \", \"\/add\") or ProcessCommandLine has_all (\"net\", \"user \", \" \/domain\") or ProcessCommandLine has_all (\"net\", \" group\", \"\/domain\") <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Storm-1175 indicators of compromise<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The following query identifies known post-compromise tools leveraged in recent GoAnywhere exploitation activity attributed to Storm-1175. Note that the alert&nbsp;<em>Ransomware-linked threat actor detected<\/em>&nbsp;will detect these hashes.&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\"> let fileHashes = dynamic([\"4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220\", \"c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3\", \"cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3\", \"5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19\"]); union ( DeviceFileEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = \"DeviceFileEvents\" ), ( DeviceEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = \"DeviceEvents\" ), ( DeviceImageLoadEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = \"DeviceImageLoadEvents\" ), ( DeviceProcessEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = \"DeviceProcessEvents\" ) | order by Timestamp desc <\/pre>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p class=\"wp-block-paragraph\">File IoCs (RMM tools in identified Storm-1175 exploitation activity):<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220 (MeshAgent SHA-256)\u00a0<\/li>\n<li class=\"wp-block-list-item\">c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3 (SimpleHelp SHA-256)\u00a0<\/li>\n<li class=\"wp-block-list-item\">cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3 (SimpleHelp SHA-256)\u00a0<\/li>\n<li class=\"wp-block-list-item\">5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19 (SimpleHelp SHA-256)\u00a0<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Network IoCs (IPs associated with SimpleHelp):<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">31[.]220[.]45[.]120<\/li>\n<li class=\"wp-block-list-item\">45[.]11[.]183[.]123<\/li>\n<li class=\"wp-block-list-item\">213[.]183[.]63[.]41<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/www.fortra.com\/security\/advisories\/product-security\/fi-2025-012\" target=\"_blank\" rel=\"noreferrer noopener\">Deserialization Vulnerability in GoAnywhere MFT&#8217;s License Servlet<\/a> (Fortra)<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/www.cve.org\/cverecord?id=CVE-2025-10035\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-10035 Detail<\/a> (CVE)<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-10035\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-10035 Detail<\/a> (NIST)<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/www.goanywhere.com\/resources\/articles\/how-to-upgrade-goanywhere-mft\" target=\"_blank\" rel=\"noreferrer noopener\">Upgrade Process<\/a> (GoAnywhere)<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n<p class=\"wp-block-paragraph\">For the latest security research from the Microsoft Threat Intelligence community, check out the <a href=\"https:\/\/aka.ms\/threatintelblog\">Microsoft Threat Intelligence Blog<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To get notified about new publications and to join discussions on social media, follow us on <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">LinkedIn<\/a>, <a href=\"https:\/\/x.com\/MsftSecIntel\">X (formerly Twitter)<\/a>, and <a href=\"https:\/\/bsky.app\/profile\/threatintel.microsoft.com\">Bluesky<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">Microsoft Threat Intelligence podcast<\/a>.<\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/10\/06\/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability\/\">Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/10\/06\/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft Threat Intelligence| Date: Mon, 06 Oct 2025 17:00:00 +0000<\/strong><\/p>\n<p>Storm-1175, a financially motivated actor known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the deserialization vulnerability in GoAnywhere MFT&#8217;s License Servlet, tracked as CVE-2025-10035. We are publishing this blog post to increase awareness of this threat and to share end-to-end protection coverage details across Microsoft Defender.<\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/10\/06\/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability\/\">Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[],"class_list":["post-26020","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/26020","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=26020"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/26020\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=26020"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=26020"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=26020"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}