Microsoft Confirms GoAnywhere Exploitation: What IT Leaders Need to Know

As cyber threats evolve, mid-sized organizations remain prime targets for ransomware groups exploiting vulnerabilities in widely used tools. Recently, Microsoft Threat Intelligence confirmed that a financially motivated group, tracked as Storm-1175, actively exploited a maximum-severity vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw allowed attackers to execute remote code, install monitoring tools, deploy web shells, and ultimately launch Medusa ransomware attacks.

What Happened?

• The vulnerability was exploited as a zero-day, giving attackers a head start before patches were released.
• Attackers leveraged built-in Windows utilities for lateral movement and used tools like Rclone for data theft.
• Indicators of compromise (IOCs) were later added to Fortra’s advisory, but transparency from the vendor has been limited.

Why It Matters for Mid-Sized Organizations

File transfer services like GoAnywhere often handle sensitive data, making them high-value targets. Exploitation can lead to:

• Data exfiltration and extortion
• Operational downtime
• Regulatory and reputational risks

Action Steps for IT Leaders

1. Patch Immediately: Ensure GoAnywhere MFT instances are updated to the latest version.
2. Monitor for IOCs: Review logs for suspicious activity using indicators provided by Fortra and Microsoft.
3. Harden Access Controls: Implement MFA and least-privilege principles across all systems.
4. Layered Defense: Combine endpoint protection, network monitoring, and threat intelligence to reduce exposure.
5. Incident Response Readiness: Validate your ransomware playbook and backup strategy.

The Bigger Picture

This incident underscores the importance of proactive vulnerability management and vendor transparency. Mid-sized organizations often lack the resources of large enterprises, making partnerships with trusted security providers and managed detection services critical.