Overview
- Microsoft reports that threat actor Storm-1175 has exploited CVE-2025-10035 since at least September 11, obtaining initial access via a forged GoAnywhere license response.
- The CVSS 10.0 deserialization bug in the License Servlet enables command injection and potential remote code execution without authentication when a forged signature is accepted.
- Observed post‑exploitation steps include deploying SimpleHelp and MeshAgent for persistence, running netscan for discovery, moving laterally with mstsc.exe, using a Cloudflare tunnel for C2, and exfiltrating data with Rclone.
- Medusa ransomware was successfully deployed in at least one compromised environment, according to Microsoft’s investigation across multiple organizations.
- Fortra issued patches on September 18 (versions 7.8.4 / Sustain 7.6.3), yet researchers note unanswered questions about the required 'serverkey1' signing key as Shadowserver counts 513 internet‑exposed instances and admins are urged to lock down the Admin Console and hunt for SignedObject.getObject traces.