Executive Summary
In September 2025, Fortra disclosed that its GoAnywhere Managed File Transfer (MFT) platform suffered from a critical vulnerability (CVE-2025-10035) that was actively exploited by threat actors. Attackers leveraged this flaw—reportedly requiring a private cryptographic key, the origins of which are still unclear—to gain unauthorized access, moving laterally within cloud-based environments and exfiltrating data. Notably, Microsoft attributed ransomware intrusions and multi-stage attacks to a criminal group tracked as Storm-1175, leading to business disruptions and heightened risk for GoAnywhere users. Fortra responded by patching its services, investigating suspicious activity, and notifying affected customers, though questions remain regarding the root cause and extent of private key compromise.
This incident highlights the growing risk of supply chain and third-party software vulnerabilities being exploited in ransomware campaigns. The exploitation of cryptography-dependent mechanisms signals an evolving sophistication among threat actors, pressing organizations to reconsider approaches to privileged cryptographic assets and drive urgency in patch management.
Why This Matters Now
With ransomware actors now directly exploiting managed file transfer platforms, organizations face rising exposure from third-party software failures. The inability to fully account for exploited cryptographic assets in a trusted vendor’s environment adds urgency to reviewing zero trust controls and supply chain monitoring.
Attack Path Analysis
Attackers exploited CVE-2025-10035 in Fortra's GoAnywhere MFT cloud service by leveraging or bypassing cryptographic protections, gaining initial access to vulnerable instances. Through this foothold, they likely escalated privileges to access sensitive application or cloud resources. Adversaries then moved laterally within the managed service or customer environments, seeking additional targets or sensitive data. A command and control channel was established, facilitating remote attacker operations and persistence. Sensitive files were exfiltrated from the compromised environment, possibly via outbound connections masked as legitimate traffic. Finally, the attackers deployed ransomware, encrypting critical data and disrupting business operations.
Kill Chain Progression
Initial Compromise
Description
Exploitation of CVE-2025-10035 allowed unauthorized remote code execution on exposed GoAnywhere MFT cloud instances, possibly through obtaining or bypassing required private keys.
Related CVEs
CVE-2025-10035
CVSS 9.8A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an attacker with a validly forged license response signature to deserialize an arbitrary attacker-controlled object, potentially leading to command injection and remote code execution.
Affected Products:
Fortra GoAnywhere MFT – <= 7.8.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Man-in-the-Middle
Valid Accounts
System Services
Data Encrypted for Impact
Exfiltration Over Alternative Protocol
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Public-Facing Application Vulnerability Management
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management
Control ID: Art. 10
CISA ZTMM 2.0 – Continuous Verification of Application Trust
Control ID: Identity, Devices & Applications - Continuous Verification
NIS2 Directive – Incident Detection and Vulnerability Handling
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
GoAnywhere MFT ransomware exploitation severely impacts secure file transfers, encrypted traffic controls, and regulatory compliance for banking operations.
Health Care / Life Sciences
CVE-2025-10035 vulnerability threatens HIPAA-compliant data transfers, patient record security, and encrypted communications in healthcare file-sharing systems.
Government Administration
Storm-1175 ransomware attacks via GoAnywhere defect compromise secure government file transfers, creating national security and data protection risks.
Information Technology/IT
File-transfer service exploitation enables lateral movement, egress security breaches, and multi-stage ransomware attacks targeting IT infrastructure providers.
Sources
- Fortra cops to exploitation of GoAnywhere file-transfer service defecthttps://cyberscoop.com/fortra-goanywhere-vulnerability-exploitation/Verified
- Summary of Investigation Related to CVE-2025-10035https://www.goanywhere.com/blog/summary-investigation-related-cve-2025-10035Verified
- CVE-2025-10035 Critical Remote Code Execution in Fortra GoAnywhere MFThttps://www.ionix.io/blog/cve-2025-10035/Verified
- NVD - CVE-2025-10035https://nvd.nist.gov/vuln/detail/CVE-2025-10035Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, workload isolation, encrypted traffic controls, and outbound policy enforcement could have limited exploit scope, detected anomalous behavior, and prevented lateral movement or data exfiltration across the kill chain.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline enforcement would detect and potentially block exploit attempts against cloud services.
Control: Zero Trust Segmentation
Mitigation: Segmentation policies block unauthorized privilege escalation pathways.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts are detected and blocked between segmented workloads.
Control: Threat Detection & Anomaly Response
Mitigation: C2 activity is quickly detected and alerted.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound policy blocks unauthorized data transfers.
Prevents ransomware from reaching command servers and encrypting additional cloud assets.
Impact at a Glance
Affected Business Functions
- File Transfer Operations
- Data Exchange Processes
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive files and credentials due to unauthorized access and data exfiltration.
Recommended Actions
Key Takeaways & Next Steps
- • Implement microsegmentation and identity-based controls to limit attacker movement post-compromise.
- • Enforce strict egress policies and FQDN filtering to prevent unauthorized data exfiltration and C2 communication.
- • Deploy inline threat detection and anomaly response to identify and respond to suspicious behaviors in real time.
- • Enable real-time inspection and centralized visibility across hybrid and multi-cloud workloads for rapid detection of exploitation attempts.
- • Regularly patch cloud services and rigorously monitor for known vulnerabilities (e.g., CVE-2025-10035) to reduce attack surface.
